Potential SQL injection from string formatting

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Potential SQL injection from string formatting

Metadata

ID: swift-security/sql-injection

Language: Unknown

Severity: Error

Category: Security

CWE: 89

Description

This rule detects SQL queries that are constructed by concatenating or interpolating strings with variables. Building queries in this manner makes the application vulnerable to SQL Injection attacks. An attacker could provide malicious input that alters the query’s logic, potentially leading to unauthorized data access, data modification, or execution of arbitrary commands on the database.

To mitigate this vulnerability, use prepared statements with parameterized queries. This practice ensures that user input is treated as data and not as executable code, effectively preventing SQL injection attacks.

Non-Compliant Code Examples

import Foundation

func findUserUnsafe(withName userName: String) {
    //
    // NON-COMPLIANT: String concatenation
    // This query is built by joining a string literal containing a SQL keyword
    // with a variable. This will be flagged by the rule.
    //
    let queryConcat = "SELECT * FROM users WHERE name = '" + userName + "'"
    
    // Execute the dangerous query...
    // execute(queryConcat)
}

func findUserUnsafeMultiline(withName userName: String) {
    //
    // NON-COMPLIANT: String concatenation
    // This query is built by joining a string literal containing a SQL keyword
    // with a variable. This will be flagged by the rule.
    //
    let queryConcat = """SELECT * FROM users WHERE name ='""" + userName
    
    // Execute the dangerous query...
    // execute(queryConcat)
}


func findItemUnsafe(ownedBy owner: String) {
    //
    // NON-COMPLIANT: String interpolation
    // This query uses Swift's string interpolation feature `\()` to embed
    // the variable directly into the string. The rule detects the interpolation
    // within a string that also contains a SQL keyword.
    //
    let queryInterpolate = "SELECT * FROM items WHERE owner = '\(owner)'"

    // Execute the dangerous query...
    // execute(queryInterpolate)
}

func findItemUnsafeMulti(ownedBy owner: String) {
    //
    // NON-COMPLIANT: String interpolation
    // This query uses Swift's string interpolation feature `\()` to embed
    // the variable directly into the string. The rule detects the interpolation
    // within a string that also contains a SQL keyword.
    //
    let queryInterpolate = """SELECT * FROM items 
    WHERE owner = '\(owner)'"""

    // Execute the dangerous query...
    // execute(queryInterpolate)
}

Compliant Code Examples

import Foundation
// Assuming a hypothetical database library that supports parameterized queries.
// The syntax is similar to popular libraries like SQLite.swift or FMDB.

// A placeholder for a database connection object.
class Database {
    func prepare(_ statement: String) -> Statement {
        // In a real implementation, this would compile the SQL statement.
        return Statement(sql: statement)
    }
}

// A placeholder for a prepared statement object.
class Statement {
    let sql: String
    init(sql: String) { self.sql = sql }
    
    // The `run` method would safely bind the parameters and execute the query.
    func run(_ bindings: Any...) {
        print("Executing query: \(self.sql) with safe bindings: \(bindings)")
    }
}

let db = Database() // Assume we have a database connection.


func findUserSafe(withName userName: String) {
    //
    // COMPLIANT: Using a parameterized query
    // The query string uses a placeholder `?` instead of the actual variable.
    // The database driver is responsible for safely substituting the `userName`
    // value for the placeholder, preventing it from being interpreted as SQL code.
    // This pattern is not flagged by the rule.
    //
    let query = "SELECT * FROM users WHERE name = ?"
    
    let statement = db.prepare(query)
    statement.run(userName)
}