logo

Database

Java Sql Injection Untrusted Input

Description

Detects SQL injection vulnerabilities in Java applications using Spring JDBC (JdbcTemplate). This security flaw occurs when untrusted user input is directly concatenated or embedded into SQL queries without proper parameterization or sanitization, allowing potential database manipulation or unauthorized access.

Weakness:

297 - SQL injection - Code

Category: Unexpected Injection

Detection Strategy

    Check if the Spring JDBC library (org.springframework.jdbc.core.JdbcTemplate) is imported in the source code

    Look for database query execution methods like 'execute', 'executeQuery', or 'update' from JdbcTemplate

    Analyze if the query parameters contain unsanitized user input or string concatenation with untrusted data

    Report a vulnerability if database queries are constructed using direct string concatenation or unsafe parameter handling

Vulnerable code example

import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.web.bind.annotation.*;

@RestController
public class UserController {
    private JdbcTemplate jdbcTemplate;

    @GetMapping("/users")...

✅ Secure code example

import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.web.bind.annotation.*;

@RestController
public class UserController {
    private JdbcTemplate jdbcTemplate;

    @GetMapping("/users")...