SQL Injection

SQL Injection
Tags:

Overview

SQL injection occurs when untrusted input is combined directly into a SQL statement.

Impact

Attackers may read, modify, or delete data and may bypass authentication.

Countermeasures

Use parameterized queries, prepared statements, ORM binding, and strict input validation instead of string concatenation.

Examples

try {
    String tableName = props.getProperty("jdbc.tableName");
    String name = props.getProperty("jdbc.name");
    String query = "SELECT * FROM " + tableName + " WHERE Name =" + name;
    stmt = con.createStatement(query);
    rs = stmt.executeQuery();
   ...
} catch (SQLException sqle) { ... } finally { ... }

<select id="selectByUserId" resultType="com.devkuma.dto.User">
    SELECT user_id,
      FROM devkuma_user
     WHERE user_id = '${userId}'
</select>

String tableName = props.getProperty("jdbc.tableName");
String name = props.getProperty("jdbc.name");
String query = "SELECT * FROM " + tableName + " WHERE Name =" + name;
stmt = con.prepareStatement(query);
rs = stmt.executeQuery();
...

String tableName = props.getProperty("jdbc.tableName");
String name = props.getProperty("jdbc.name");
String query = "SELECT * FROM ? WHERE Name = ?";
stmt = con.prepareStatement(query);
stmt.setString(1, tableName); stmt.setString(2, name);
rs = stmt.executeQuery();
...