This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
This rule detects potential SQL injections. SQL Injection is a common application layer attack technique used by hackers to steal or manipulate data from the database. It occurs when an application includes untrusted data in a SQL command that is part of a query.
SQL injection can lead to serious data breaches, unauthorized access, data corruption, and in some cases, even complete system takeover. It is crucial to ensure your code is immune to such vulnerabilities.
Adhering to good coding practices can help avoid SQL injection. Always use parameterized queries or prepared statements instead of concatenating user input into SQL commands. For instance, use PreparedStatement with placeholders (?) in Java to ensure user input is appropriately sanitized before it is included in a SQL command. Avoid exposing detailed error messages that might reveal underlying database structure. Regularly update and patch your systems, and consider using a web application firewall for an additional layer of security.
Non-Compliant Code Examples
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/sqli-00/BenchmarkTest00018")publicclassBenchmarkTest00018extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some coderesponse.setContentType("text/html;charset=UTF-8");Stringparam="";java.util.Enumeration<String>headers=request.getHeaders("BenchmarkTest00018");if(headers!=null&&headers.hasMoreElements()){param=headers.nextElement();// just grab first element}// URL Decode the header value since req.getHeaders() doesn't. Unlike req.getParameters().param=java.net.URLDecoder.decode(param,"UTF-8");Stringsql="INSERT INTO users (username, password) VALUES ('foo','"+param+"')";try{java.sql.Statementstatement=org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();intcount=statement.executeUpdate(sql);org.owasp.benchmark.helpers.DatabaseHelper.outputUpdateComplete(sql,response);}catch(java.sql.SQLExceptione){if(org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors){response.getWriter().println("Error processing request.");return;}elsethrownewServletException(e);}}}
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/sqli-00/BenchmarkTest00024")publicclassBenchmarkTest00024extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some coderesponse.setContentType("text/html;charset=UTF-8");Stringparam=request.getParameter("BenchmarkTest00024");if(param==null)param="";Stringsql="SELECT * from USERS where USERNAME=? and PASSWORD='"+param+"'";try{java.sql.Connectionconnection=org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();java.sql.PreparedStatementstatement=connection.prepareStatement(sql,java.sql.ResultSet.TYPE_FORWARD_ONLY,java.sql.ResultSet.CONCUR_READ_ONLY,java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT);statement.setString(1,"foo");statement.execute();org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement,sql,response);}catch(java.sql.SQLExceptione){if(org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors){response.getWriter().println("Error processing request.");return;}elsethrownewServletException(e);}}}
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/sqli-00/BenchmarkTest00024")publicclassBenchmarkTest00024extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some coderesponse.setContentType("text/html;charset=UTF-8");Stringparam=request.getParameter("BenchmarkTest00024");if(param==null)param="";Stringsql="SELECT * from USERS where USERNAME=? and PASSWORD='"+param+"'";try{java.sql.Connectionconnection=org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();java.sql.PreparedStatementstatement=connection.prepareStatement(sql,java.sql.ResultSet.TYPE_FORWARD_ONLY,java.sql.ResultSet.CONCUR_READ_ONLY,java.sql.ResultSet.CLOSE_CURSORS_AT_COMMIT);statement.setString(1,"foo");statement.execute();org.owasp.benchmark.helpers.DatabaseHelper.printResults(statement,sql,response);}catch(java.sql.SQLExceptione){if(org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors){response.getWriter().println("Error processing request.");return;}elsethrownewServletException(e);}}}
/**
* OWASP Benchmark v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Dave Wichers
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/sqli-00/BenchmarkTest00008")publicclassBenchmarkTest00008extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{doPost(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{// some coderesponse.setContentType("text/html;charset=UTF-8");Stringparam="";if(request.getHeader("BenchmarkTest00008")!=null){param=request.getHeader("BenchmarkTest00008");}// URL Decode the header value since req.getHeader() doesn't. Unlike req.getParameter().param=java.net.URLDecoder.decode(param,"UTF-8");Stringsql="{call "+param+"}";try{java.sql.Connectionconnection=org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection();java.sql.CallableStatementstatement=connection.prepareCall(sql);java.sql.ResultSetrs=statement.executeQuery();org.owasp.benchmark.helpers.DatabaseHelper.printResults(rs,sql,response);}catch(java.sql.SQLExceptione){if(org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors){response.getWriter().println("Error processing request.");return;}elsethrownewServletException(e);}}}
Compliant Code Examples
/**
* OWASP Benchmark Project v1.2
*
* <p>This file is part of the Open Web Application Security Project (OWASP) Benchmark Project. For
* details, please see <a
* href="https://owasp.org/www-project-benchmark/">https://owasp.org/www-project-benchmark/</a>.
*
* <p>The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms
* of the GNU General Public License as published by the Free Software Foundation, version 2.
*
* <p>The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
* PURPOSE. See the GNU General Public License for more details.
*
* @author Nick Sanidas
* @created 2015
*/packageorg.owasp.benchmark.testcode;importjava.io.IOException;importjavax.servlet.ServletException;importjavax.servlet.annotation.WebServlet;importjavax.servlet.http.HttpServlet;importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;@WebServlet(value="/sqli-00/BenchmarkTest00105")publicclassBenchmarkTest00105extendsHttpServlet{privatestaticfinallongserialVersionUID=1L;@OverridepublicvoiddoGet(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.CookieuserCookie=newjavax.servlet.http.Cookie("BenchmarkTest00105","bar");userCookie.setMaxAge(60*3);// Store cookie for 3 minutesuserCookie.setSecure(true);userCookie.setPath(request.getRequestURI());userCookie.setDomain(newjava.net.URL(request.getRequestURL().toString()).getHost());response.addCookie(userCookie);javax.servlet.RequestDispatcherrd=request.getRequestDispatcher("/sqli-00/BenchmarkTest00105.html");rd.include(request,response);}@OverridepublicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse)throwsServletException,IOException{response.setContentType("text/html;charset=UTF-8");javax.servlet.http.Cookie[]theCookies=request.getCookies();Stringparam="noCookieValueSupplied";if(theCookies!=null){for(javax.servlet.http.CookietheCookie:theCookies){if(theCookie.getName().equals("BenchmarkTest00105")){param=java.net.URLDecoder.decode(theCookie.getValue(),"UTF-8");break;}}}Stringbar;// Simple ? condition that assigns constant to bar on true conditionintnum=106;bar=(7*18)+num>200?"This_should_always_happen":param;Stringsql="SELECT * from USERS where USERNAME='foo' and PASSWORD='"+bar+"'";try{java.sql.Statementstatement=org.owasp.benchmark.helpers.DatabaseHelper.getSqlStatement();statement.addBatch(sql);int[]counts=statement.executeBatch();org.owasp.benchmark.helpers.DatabaseHelper.printResults(sql,counts,response);}catch(java.sql.SQLExceptione){if(org.owasp.benchmark.helpers.DatabaseHelper.hideSQLErrors){response.getWriter().println("Error processing request.");return;}elsethrownewServletException(e);}}}
Seamless integrations. Try Datadog Code Analysis
Datadog Code Analysis
Try this rule and analyze your code with Datadog Code Analysis
How to use this rule
1
2
rulesets:- java-security # Rules to enforce Java security.
Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Analysis scans to your CI pipelines