Input Validation / SQL Statement in Request Parameter

Description

SQL statement in request parameter is a type of web and API vulnerability that can occur when user-supplied input is not properly filtered, validated, or sanitized before it is used in an SQL query. This allows attackers to modify the structure of the query, potentially leading to a SQL injection attack (CWE-89). According to the OWASP Testing Guide, this vulnerability can be prevented by applying input validation, parameterized queries, and other database access control methods (OWASP Testing Guide).

Risk

The risk associated with SQL statement in request parameter vulnerability is high. A successful attack can allow an attacker to gain unauthorized access to data, modify or delete data, or even execute remote code on the vulnerable system.

Solution

The most effective solution for this vulnerability is to use parameterized queries, which are also known as prepared statements. This can be done by using database API that supports parameterized queries and passing user-supplied input as separate parameters, rather than as part of the query.