SV.SQL
This error detects the situation when unvalidated or tainted data is used directly in an SQL query string. Specifically, this error traces user input from various sources, such as HTTP requests via J2EE servlets, to the use of this data in SQL statements. If this data is used, unchecked, directly in the SQL statement used in the java.sql.Statement.execute() method, then attackers can enter arbitrary SQL statements into this string. This allows arbitrary SQL commands to be run directly from the user interface.
Vulnerability and risk
SQL injections put data in the database at risk. Since unvalidated user input is being used in the SQL statement, an attacker can inject any SQL statement they wish to execute. This includes deleting, updating or creating data. It may also be possible to retrieve sensitive data from the database with this type of vulnerability. If the command is used for authentication, it will lead to unauthorized access.
Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.
Mitigation and prevention
Prevent SQL injection flaws by validating any and all input from outside the application (user input, file input, system parameters, etc.). Validation should include length and content. Typically only alphanumeric characters are needed (i.e., A-Za-z, 0-9). Any other accepted characters should be escaped. This validation should be done at each source of data, such as when each parameter is read from the HTTP request. Additionally it may be advisable to check all strings that are used in SQL statements before their use. Moreover, the use of SQL statements as in the sample is also dangerous, as it allows for injection flaws and other potentially dangerous SQL execution. Use SQL prepared statements for creating, updating and deleting records.
Example 1
public ResultSet getUserData(ServletRequest req, Connection con) throws SQLException {
// Source of data from HTTP request in servlet
String accountNumber = req.getParameter("accountNumber");
// Use of string in SQL statement
String query = "SELECT * FROM user_data WHERE userid = '" + accountNumber + "'";
Statement statement = con.createStatement(ResultSet.TYPE_SCROLL_INSENSITIVE, ResultSet.CONCUR_READ_ONLY);
ResultSet results = statement.executeQuery(query);
return results;
}
SV.SQL is reported for line 21: 'accountNumber' contains data coming from an HTTP request parameter and might be tainted (line 17). This value is concatenated with a constant string to form the 'query' on line 19. The 'query' is executed as an SQL statement on line 21. This can be exploited to inject arbitrary SQL statements.
External guidance
- CERT IDS00-J: Prevent SQL injection
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- OWASP A1:2017 Injection
- OWASP A3:2021 Injection
- STIG-ID:APP3530 Input Validation
- STIG-ID:APP3540.1 SQL Injection Vulnerabilities
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.