Input Validation / SQL Statement in Request Parameter

Description SQL statement in request parameter is a type of web and API vulnerability that can occur when user-supplied input is not properly filtered, validated, or sanitized before it is used in an SQL query. This allows attackers to modify the structure of the query, potentially leading to a SQL injection attack (CWE-89). According to the OWASP Testing Guide, this vulnerability can be prevented by applying input validation, parameterized queries, and other database access control methods (OWASP Testing Guide).

Risk The risk associated with SQL statement in request parameter vulnerability is high. A successful attack can allow an attacker to gain unauthorized access to data, modify or delete data, or even execute remote code on the vulnerable system.

Solution The most effective solution for this vulnerability is to use parameterized queries, which are also known as prepared statements. This can be done by using database API that supports parameterized queries and passing user-supplied input as separate parameters, rather than as part of the query.

Example The following example demonstrates a vulnerable code where the user-supplied input is not properly validated before it is used in a SQL query.

String query = "SELECT * FROM employees WHERE name = '" + request.getParameter("name") + "'";
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);