Untrusted data is sent as part of a command or query.
What it is
Websites and apps occasionally run commands on the underlying database or operating system to add or delete data, execute a script, or start other apps. If unverified, inputs are added to a command string or a database command. As a result, attackers can launch commands at will to take control of a server, device, or data.
How it works
If a website, app, or device incorporates a user input within a command, an attacker can insert a “ command directly into the corresponding input. If that input is not verified, an attacker then uses “ and runs their commands freely.
Why it’s bad
Once attackers gain access to make commands, they can control your website, apps, and data.
Avoid string interpretation. Use well-known ORMs or APIs to retrieve data.
Use LIMIT and other SQL controls within queries to prevent mass disclosure of records in case of SQL injection.
Use a positive or allow list " server-side input validation (e.g., allow only some HTML tags in a custom WYSIWYG editor and strip down everything else).
For any dynamic queries, remove special characters using specific syntax for the interpreter. Avoid dynamic queries. Instead, use ORMs.
SQLi injection example
The hacker uses SQLi injection to exploit a non-validated input on a web form or http get where the query parameters are exposed on the URI that can be used to perform malicious activity.
String query = “SELET * FROM accounts WHERE custID=" + request.getParameter(“id”);
SELECT * FROM accounts WHERE custID =‘1’
SELECT * FROM accounts WHERE custID =‘1’;DROP TABLE USERS
Example A1 showcases good tactics.
The URL and query are used to bring back results data based on the customer ID being ‘1’ or what the user enters in the form on the web page. The result is an account view for a customer ID of 1.
Example B1 exhibits poor tactics.
The URL query parameter drops a table because the form data or URL query parameters are not validated prior to sending to the database. A secondary SQL command is added to “DROP TABLE FROM USERS’ by appending a semicolon and a SQL command to the .