This product is not supported for your selected Datadog site. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
This rule detects SQL queries that are constructed by concatenating or interpolating strings with variables. Building queries in this manner makes the application vulnerable to SQL Injection attacks. An attacker could provide malicious input that alters the query’s logic, potentially leading to unauthorized data access, data modification, or execution of arbitrary commands on the database.
To mitigate this vulnerability, use prepared statements with parameterized queries. This practice ensures that user input is treated as data and not as executable code, effectively preventing SQL injection attacks.
Non-Compliant Code Examples
importFoundationfuncfindUserUnsafe(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="SELECT * FROM users WHERE name = '"+userName+"'"// Execute the dangerous query...// execute(queryConcat)}funcfindUserUnsafeMultiline(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="""SELECT * FROM users WHERE name ='"""+userName// Execute the dangerous query...// execute(queryConcat)}funcfindItemUnsafe(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="SELECT * FROM items WHERE owner = '\(owner)'"// Execute the dangerous query...// execute(queryInterpolate)}funcfindItemUnsafeMulti(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="""SELECT * FROM items
WHERE owner = '\(owner)'"""// Execute the dangerous query...// execute(queryInterpolate)}
Compliant Code Examples
importFoundation// Assuming a hypothetical database library that supports parameterized queries.// The syntax is similar to popular libraries like SQLite.swift or FMDB.// A placeholder for a database connection object.classDatabase{funcprepare(_statement:String)->Statement{// In a real implementation, this would compile the SQL statement.returnStatement(sql:statement)}}// A placeholder for a prepared statement object.classStatement{letsql:Stringinit(sql:String){self.sql=sql}// The `run` method would safely bind the parameters and execute the query.funcrun(_bindings:Any...){print("Executing query: \(self.sql) with safe bindings: \(bindings)")}}letdb=Database()// Assume we have a database connection.funcfindUserSafe(withNameuserName:String){//// COMPLIANT: Using a parameterized query// The query string uses a placeholder `?` instead of the actual variable.// The database driver is responsible for safely substituting the `userName`// value for the placeholder, preventing it from being interpreted as SQL code.// This pattern is not flagged by the rule.//letquery="SELECT * FROM users WHERE name = ?"letstatement=db.prepare(query)statement.run(userName)}
1
2
rulesets:- swift-security # Rules to enforce Unknown security.
