logo

Database

Java Api Sql Injection

Description

This detector identifies SQL injection vulnerabilities in Java applications that use the java.sql library. It analyzes SQL statement construction patterns to detect cases where user input may be directly concatenated into SQL queries without proper parameterization, allowing attackers to manipulate SQL commands.

Weakness:

146 - SQL injection

Category: Unexpected Injection

Detection Strategy

    The code imports or uses classes from the java.sql package (such as Statement, PreparedStatement, Connection, etc.)

    SQL statements are constructed by concatenating user-controlled input directly into the query string instead of using parameterized queries

    String concatenation or formatting is used to build SQL queries with dynamic values that could contain malicious SQL code

Vulnerable code example

import jakarta.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.RequestParam;
import java.sql.*;

public class SqlInjectionExample {
    
    public void vulnerableMethod(HttpServletRequest request, Connection conn) throws Exception {
        Statement stmt = conn.createStatement();...

✅ Secure code example

import jakarta.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.RequestParam;
import java.sql.*;

public class SqlInjectionExample {
    
    public void secureMethod(HttpServletRequest request, Connection conn) throws Exception {
        // Safe - Use PreparedStatement with parameterized query...