SQL injection

SQL injection

Risk: medium

Description

Improper SQL query construction could lead to SQL injection. An SQL injection attack consists of injecting an SQL query via the input data from the client to the application

Recommendation

Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks or unauthorized access content.

Links

• SQL Injection (OWASP)
• Security Tips (Android developer)
• Improper Neutralization of Special Elements used in an SQL Command (CWE-89)