Constructing a dynamic SQL statement with user input could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
In this case the HP Fortify Static Code Analyzer could not determine that the source of the data is trusted.
2. The data is used to dynamically construct a SQL query.
Example 1: The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where the user matches the user name of the currently-authenticated user.
DATA: itm TYPE c.
DATA: user TYPE c.
...
itm = request->get_form_field( 'itm' ).
user = request->get_form_field( 'user' ).
CONCATENATE `user = '` user `'` INTO cl_where.
CONCATENATE cl_where ` AND itm = '` itm `'` INTO cl_where.
SELECT *
FROM items
INTO CORRESPONDING FIELDS OF TABLE itab_items
WHERE (cl_where).
ENDSELECT.
...
SELECT * FROM items
WHERE user = <userName>
AND itm = <itemName>;
itemName
does not contain a single-quote character. If an attacker with the user name wiley
enters the string "name' OR 'a'='a
" for itemName
, then the query becomes the following:
SELECT * FROM items
WHERE user = 'wiley'
AND itm = 'name' OR 'a'='a';
OR 'a'='a'
condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:
SELECT * FROM items;
items
table, regardless of their specified user.wiley
enters the string "name'; DELETE FROM items; --
" for itemName
, then the query becomes the following two queries:
SELECT * FROM items
WHERE user = 'wiley'
AND itm = 'name';
DELETE FROM items;
--'
name'); DELETE FROM items; SELECT * FROM items WHERE 'a'='a
", the following three valid statements will be created:
SELECT * FROM items
WHERE user = 'wiley'
AND itm = 'name';
DELETE FROM items;
SELECT * FROM items WHERE 'a'='a';
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3540.1 CAT, APP3540.3 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 89
[6] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 089
[7] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 089
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6
[11] Standards Mapping - FIPS200 - (FISMA) SI
[12] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) SQL Injection
[13] P. Finnigan SQL Injection and Oracle, Part One Security Focus
[14] S. J. Friedl SQL Injection Attacks by Example
[15] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine
[16] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press