Avoid second order SQL injection

CRITICAL

Rule Definition
In web based applications, the validation of all user input is critical to avoid major security problems that would come from the injection flaws. To avoid the creation of injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input: "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" The Common Weakness Enumeration defines Improper Input Validation (CWE-20) as follows: "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution."

Remediation
Use authorized sanitization methods.

Violation Code Sample

... string oldPassword = ... string newPassword = ... string userName = ... // Get the userName from the database string query = "UPDATE users SET password=? WHERE username=" + userName + " and password=?"; PreparedStatement preparedStatement = conn.prepareStatement(query) ; preparedStatement.setString(1, newPassword ); preparedStatement.setString(2, oldPassword); int i = preparedStatement.executeUpdate(); ...

Fixed Code Sample

string query = "UPDATE users SET password=? WHERE username=? and password=?"; PreparedStatement preparedStatement = conn.prepareStatement(query) ; preparedStatement.setString(1, newPassword ); preparedStatement.setString(2, userName); preparedStatement.setString(3, oldPassword);

Reference

CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL injection') http://cwe.mitre.org/data/definitions/89.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007 CISQ rule: ASCSM-CWE-89.

Related Technologies

Health Factor

Security

Technical Criterion
CWE-564 - SQL Injection: Hibernate

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

nan%

Total Violations

0

Total Opportunities

0

Average Violations / App.

nan

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Software ISV

94.29%

Select from drop-down

99.94%

Insurance

99.68%

Want more stats? Register now!