Constructing a dynamic SQL statement with user input could allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.
SQL injection errors occur when:
1. Data enters a program from an untrusted source.
In this case HP Fortify Static Code Analyzer could not determine that the source of the data is trusted.
2. The data is used to dynamically construct a SQL query.
Example 1: The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where the owner matches the user name of the currently-authenticated user.
...
String userName = ctx.getAuthenticatedUserName();
String itemName = request.getParameter("itemName");
String query = "SELECT * FROM items WHERE owner = '"
+ userName + "' AND itemname = '"
+ itemName + "'";
ResultSet rs = stmt.execute(query);
...
SELECT * FROM items
WHERE owner = <userName>
AND itemname = <itemName>;
itemName
does not contain a single-quote character. If an attacker with the user name wiley
enters the string "name' OR 'a'='a
" for itemName
, then the query becomes the following:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name' OR 'a'='a';
OR 'a'='a'
condition causes the where clause to always evaluate to true, so the query becomes logically equivalent to the much simpler query:
SELECT * FROM items;
items
table, regardless of their specified owner.wiley
enters the string "name'; DELETE FROM items; --
" for itemName
, then the query becomes the following two queries:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name';
DELETE FROM items;
--'
name'); DELETE FROM items; SELECT * FROM items WHERE 'a'='a
", the following three valid statements will be created:
SELECT * FROM items
WHERE owner = 'wiley'
AND itemname = 'name';
DELETE FROM items;
SELECT * FROM items WHERE 'a'='a';
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A1 Injection
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A2 Injection Flaws
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A6 Injection Flaws
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3510 CAT I, APP3540.1 CAT, APP3540.3 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 564
[6] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 89
[7] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 089
[8] Standards Mapping - SANS Top 25 2010 - (SANS 2010) Insecure Interaction - CWE ID 089
[9] Standards Mapping - SANS Top 25 2009 - (SANS 2009) Insecure Interaction - CWE ID 116
[10] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 6.3.1.1, Requirement 6.5.2
[11] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 6.5.1
[12] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.6
[13] Standards Mapping - FIPS200 - (FISMA) SI
[14] Standards Mapping - Web Application Security Consortium 24 + 2 - (WASC 24 + 2) SQL Injection
[15] P. Finnigan SQL Injection and Oracle, Part One Security Focus
[16] S. J. Friedl SQL Injection Attacks by Example
[17] P. Litwin Stop SQL Injection Attacks Before They Stop You MSDN Magazine
[18] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press