Recipe Name:
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter
Description:
Could lead to JDBC Injection
Level:
error
Language:
- java
Tags:
- Spring
- security
- Spring Data
- framework specific
- injection
- SQL
- OWASP Top 10
Documentation
Abstract
Secure coding practices prescribe that variables should be bound in prepared statements to mitigate the risk of SQL Injections.Description
Input values in SQL queries can not be simply concatenated. Instead parameterized queries should be used.Class information:
package org.springframework.jdbc.core.JdbcTemplate
query
queryForMap
queryForObject
queryForRowset
Use these functions as follows.
Correct code example:
JdbcTemplate jdbc = new JdbcTemplate();
int count = jdbc.queryForObject("select count(*) from Users where name = ?", Integer.class, paramName);
Recipe
id: scw:spring:jdbc:JdbcOperations-single-parameter
version: 10
metadata:
name: 'Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter'
shortDescription: Could lead to JDBC Injection
level: error
language: java
newCodeOnly: false
scwCategory: injection:sql
enabled: true
descriptionFile: descriptions/InputValidationAvoidJDBCInjectionBindvariablesinpreparedstatements.html
tags: Spring;security;Spring Data;framework specific;injection;SQL;OWASP Top 10
search:
methodcall:
args:
1:
type: java.lang.String
value:
containsUntrustedInput: true
argCount: 1
name:
matches: queryForList|queryForMap|queryForRowSet|update|batchUpdate
declaration:
type: org.springframework.jdbc.core.JdbcOperations
availableFixes:
- name: Use parameterized queries
actions:
- parameterize:
placeholderFormat: '?'
extractUntrustedInput:
array:
type: java.lang.String[]
atArgumentPosition: 2