Java Api Sql Injection
Description
This detector identifies SQL injection vulnerabilities in Java applications that use the java.sql library. It analyzes SQL statement construction patterns to detect cases where user input may be directly concatenated into SQL queries without proper parameterization, allowing attackers to manipulate SQL commands.
Detection Strategy
• The code imports or uses classes from the java.sql package (such as Statement, PreparedStatement, Connection, etc.)
• SQL statements are constructed by concatenating user-controlled input directly into the query string instead of using parameterized queries
• String concatenation or formatting is used to build SQL queries with dynamic values that could contain malicious SQL code
Vulnerable code example
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.RequestParam;
import java.sql.*;
public class SqlInjectionExample {
public void vulnerableMethod(HttpServletRequest request, Connection conn) throws Exception {
Statement stmt = conn.createStatement();...✅ Secure code example
import jakarta.servlet.http.HttpServletRequest;
import org.springframework.web.bind.annotation.RequestParam;
import java.sql.*;
public class SqlInjectionExample {
public void secureMethod(HttpServletRequest request, Connection conn) throws Exception {
// Safe - Use PreparedStatement with parameterized query...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.