SQL Injection
Description
A SQL injection vulnerability occurs when users can insert - inject - malicious SQL code in a legit SQL query that is built from user-submitted input. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.
Remediation
Primary defenses:
- Use of Prepared Statements (with parameterized queries). This prevention techniques is the most effective one as it will completely shutdown any SQL injection attacks. Keep in mind that prepared statements must be used everywhere, even if no user inputted data is found in the query.
- Use of Stored Procedures.
- Allow-list Input Validation. Usage whitelist is recommended to prevent SQL injection attacks as whitelisting is more effective then black listing.
- Escaping all user supplied input.
Additional defenses:
- Enforcing Least Privilege.
- Performing Allow-list Input Validation as a secondary line of defense.
GraphQL Specific
Apollo
To prevent SQL injection in the Apollo framework engine, ensure that all database queries are constructed using parameterized statements or prepared statements. This approach separates the SQL logic from the data input, effectively neutralizing the potential for malicious input to alter the structure of the SQL command. Additionally, employ input validation to whitelist acceptable input patterns and reject any suspicious or unexpected data. Regularly update the Apollo framework and its dependencies to incorporate security patches. Implement proper error handling to avoid revealing sensitive information in error messages that could aid an attacker. Lastly, consider using ORM (Object-Relational Mapping) libraries that inherently use parameterized queries to further reduce the risk of SQL injection attacks.
Yoga
To prevent SQL injection in the Yoga framework engine, ensure that all database queries are performed using parameterized statements or prepared statements. This approach allows the database to distinguish between code and data, regardless of user input. The Yoga framework should utilize its database abstraction layer correctly to prepare queries, which will effectively mitigate the risk of SQL injection attacks. Additionally, always validate and sanitize user input to reduce the attack surface further. Implementing proper error handling and logging mechanisms can also help in identifying and responding to any attempted attacks promptly.
Awsappsync
To mitigate SQL injection vulnerabilities in AWS AppSync, ensure that all database queries are constructed using parameterized statements or prepared statements, which separate the SQL logic from the input data. Additionally, use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to sanitize and validate all input data before it is processed in your queries. Implement proper authorization checks and access controls to limit data exposure. Regularly update and patch your GraphQL schema and underlying data sources to address any security vulnerabilities. Employ AWS WAF (Web Application Firewall) to provide an additional layer of security with custom rules designed to block malicious SQL injection attempts.
Graphqlgo
To mitigate SQL injection risks in a GraphQL Go framework engine, ensure that all database queries are constructed using parameterized statements or prepared statements, which separate the query structure from the data inputs. Additionally, employ input validation to whitelist allowable characters and reject potentially malicious input. Implement proper error handling to avoid exposing database schema information. Regularly review and update dependencies to incorporate security patches for the GraphQL framework and associated libraries.
Graphqlruby
In the GraphQL Ruby framework, to prevent SQL injection, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterization provided by GraphQL types and avoid directly interpolating variables into queries. Always use the query object's methods to construct conditions, and never construct SQL fragments manually. Additionally, employ Active Record or another ORM's built-in protections, which use parameterized queries to safely handle user input.
Hasura
To prevent SQL injection in Hasura, ensure that all user inputs are validated and use prepared statements with variable binding. Avoid constructing SQL queries with string concatenation. Additionally, leverage Hasura's role-based access control to restrict data access and permissions.
REST Specific
Asp_net
In ASP.NET, prevent SQL injection by utilizing parameterized queries with SqlCommand or Entity Framework, employing stored procedures, and validating user inputs. Additionally, use ORM tools like Entity Framework which inherently protect against SQL injection by handling data as strongly typed objects rather than constructing SQL queries using string concatenation. Always encode user inputs if they are used in SQL queries, and regularly update your database management system to patch any known vulnerabilities.
Ruby_on_rails
In Ruby on Rails, use the ActiveRecord query interface which automatically handles parameterized queries to prevent SQL injection. For example, instead of using string interpolation, use the where method like this: User.where('name = ?', params[:name]). Also, ensure that raw SQL is avoided unless absolutely necessary and always sanitize input with methods like quote or sanitize_sql_array if you must use raw SQL.
Next_js
In Next.js applications, prevent SQL injection by using parameterized queries or prepared statements with libraries like pg for PostgreSQL. Avoid concatenating user input directly into SQL queries. Instead, use query parameters to ensure that user input is treated as data, not executable code. Additionally, employ input validation and ORM libraries that provide built-in protections against SQL injection.
Laravel
In Laravel, use Eloquent ORM or the query builder's parameter binding to prevent SQL injection. Both methods ensure that user input is treated as data rather than executable code. For raw SQL queries, use prepared statements with named or positional binding. Additionally, validate and sanitize user inputs to strengthen security.
Express_js
In Express.js, prevent SQL injection by using parameterized queries with libraries like 'mysql' or 'pg'. Avoid concatenating user inputs directly into SQL statements. Instead, use placeholders (e.g., '?', '$1') for inputs and provide parameters separately to the query function. This ensures that user input is treated as data, not executable code. Additionally, employ ORM libraries like Sequelize which automatically handle parameterization, and regularly validate and sanitize user input to further reduce injection risks.
Django
In Django, use the ORM to create SQL queries, as it automatically escapes user inputs. If raw SQL must be used, employ Django's built-in parameterized query support with the 'params' argument to avoid SQL injection by ensuring that user inputs are properly escaped.
Symfony
In Symfony, use the Doctrine ORM or DBAL's prepared statements to mitigate SQL injection risks. Always use parameterized queries or Doctrine's DQL (Doctrine Query Language) to ensure that user input is handled safely. Avoid concatenating or interpolating user input directly into SQL queries. Additionally, regularly validate and sanitize user input to prevent malicious data from being processed.
Spring_boot
In Spring Boot, prevent SQL injection by using JPA Repository or Spring Data interfaces for database access. These abstractions use parameterized queries, which ensure that user input is treated as data rather than executable code. Additionally, avoid constructing SQL queries through string concatenation with user input, and use Hibernate's Criteria API or JPQL with bind parameters to further safeguard against injection attacks.
Flask
In Flask, use SQLAlchemy or another ORM that supports parameterized queries to prevent SQL injection. Ensure that raw SQL queries are avoided, or if necessary, use contextually appropriate escaping functions provided by the database driver, such as escape() in MySQL-Python. Additionally, validate and sanitize all user inputs to enforce proper input format.
Nuxt
In Nuxt.js applications, prevent SQL injection by using libraries that support parameterized queries or prepared statements, such as knex.js or sequelize. Always validate and sanitize user input, and avoid directly concatenating user input into SQL queries. Implement proper error handling to prevent the exposure of database details. Additionally, use ORM (Object-Relational Mapping) libraries that abstract SQL execution and inherently protect against SQL injection.
Fastapi
In FastAPI, to prevent SQL injection, use ORM libraries like SQLAlchemy which employ parameterized queries. Ensure that all database queries are constructed using ORM methods rather than string concatenation or interpolation. For raw SQL queries, use FastAPI's database dependencies with query parameters instead of formatting strings directly. Regularly update dependencies to incorporate security fixes.
Configuration
Identifier:
injection/sql
Options
- skip_objects : List of object that are to be skipped by the security test.
Examples
Ignore this check
checks:
injection/sql:
skip: true
Score
- Escape Severity: HIGH
Compliance
OWASP: API9:2023
pci: 6.5.1
gdpr: Article-32
soc2: CC1
psd2: Article-95
iso27001: A.14.2
nist: SP800-53
fedramp: AC-7
Classification
- CWE: 89
Score
- CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
- CVSS_SCORE: 8.7