This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

CRV2 SQLInjJava

From OWASP
Revision as of 19:55, 3 October 2013 by Johanna Curiel (talk | contribs) (Created page with "=JAVA SQL Injections= SQL injections occur when input to a web application is not controlled or sanitized before executing to the back-end database The attacker tries to expl...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

JAVA SQL Injections

SQL injections occur when input to a web application is not controlled or sanitized before executing to the back-end database The attacker tries to exploit this vulnerability by passing SQL commands in her/his input and therefore will create a undesired response from the database such as providing information that bypasses the authorization and authentication programmed in the web application

An example of a vulnerable java code (Livshits and Lam, 2005) 

   HttpServletRequest request = ...;
   String userName = request.getParameter("name");
   Connection con  = ...
   String query    = "SELECT * FROM Users " + " WHERE name = '" + userName + "'";
   con.execute(query);

References

Livshits and Lam, 2005 "Finding Security Vulnerabilities in Java Applications with Static Analysis" available at https://www.usenix.org/legacy/event/sec05/tech/full_papers/livshits/livshits_html/#sec:sqlinjexample Accessed on 3rd October, 2013

Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_SQLInjJava&oldid=159684"