SQL injection in SqlUtil.execQuery

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/potential-sql-injection

Language: Java

Severity: Warning

Category: Security

CWE: 89

Description

The parameter of the SQL query should be properly escaped and validated.

Learn More

Non-Compliant Code Examples

class Foobar {

    public void test() {
        SqlUtil.execQuery("select * from UserEntity t where id = " + parameterInput);
    }
}

Compliant Code Examples

class Foobar {

    public void test() {
        SqlUtil.execQuery("select * from UserEntity t where id = " + sanitize(parameterInput));
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis