SEC-INJECTION-sql
Synopsis
User input is improperly used in an SQL statement.
Enabled by default
No
Severity/Certainty
High/Medium
Full description
An SQL statement is constructed either completely or partially from user input. When user input is used in an SQL statement, that statement should be parameterized and the user input be passed as a parameter. By using user input directly in an SQL statement (through string concatenation or similar) you leave the statement open to attack. An attacker could provide input to execute arbitrary commands on your database. These commands could expose information in the database, overwrite existing data, or delete elements from the database. This check supports the following C/C++ libraries for SQL: * MySQL C API * MySQL Connector/C++ * libpq (PostgreSQL) * libpq++ (PostgreSQL) * libpqxx (PostgreSQL) * sqlite3 * Microsoft ODBC * OLE DB User input should be sanitized using an SQL escaping function.
Coding standards
- CWE 89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Code examples
The following code example fails the check and will give a warning:
#include <string.h>
void example(void * conn) {
char *name;
char *sql;
name = gets(name);
strcpy(sql, "SELECT age FROM people WHERE name = \"");
strcat(sql, name);
strcat(sql, "\"");
sqlite3_exec(conn, sql);
}
The following code example passes the check and will not give a warning about this issue:
#include <string.h>
void example(void * conn, void * stmt) {
char *name;
name = gets(name);
sqlite3_bind_text(stmt, "A", name);
sqlite3_exec(conn, "SELECT age FROM people WHERE name = $A");
}