Avoid SQL injection vulnerabilities ( CWE-89 )

CRITICAL

Rule Definition
In web based applications, the validation of all user input is critical to avoid major security problems that would come from the Injection flaws. To avoid the creation of Injection flaws, the Open Web Application Security Project (OWASP) recommends the validation of all user input : "Use a standard input validation mechanism to validate all input data for length, type, syntax, and business rules before accepting the data to be displayed or stored. Use an "accept known good" validation strategy. Reject invalid input rather than attempting to sanitize potentially hostile data. Do not forget that error messages might also include invalid data" The Common Weakness Enumeration defines Improper Input Validation ( CWE-20 ) as follows : "When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution." This rule ensures that the appropriate input validation is coded within the same method that called the user input call, making security checking easier for all team members.

Remediation
Code the appropriate input validation as close as possible to the user input call.

Violation Code Sample

The following code dynamically constructs and executes a SQL query that searches for items matching a specified name. The query restricts the items displayed to those where owner matches the user name of the currently-authenticated user. ... string userName = ctx.getAuthenticatedUserName(); string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...

Fixed Code Sample

... string userName = ctx.getAuthenticatedUserName(); // validate the user input string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'"; sda = new SqlDataAdapter(query, conn); DataTable dt = new DataTable(); sda.Fill(dt); ...

Reference

CWE-89 : Failure to Preserve SQL Query Structure (aka 'SQL Injection') http://cwe.mitre.org/data/definitions/89.html Open Web Application Security Project (OWASP) http://www.owasp.org/index.php/Top_10_2007 CISQ rule: ASCSM-CWE-89.

Related Technologies
.Net JEE

Health Factor

Transferability

Technical Criterion
Secure Coding - Input Validation

About CAST Appmarq

CAST Appmarq is by far the biggest repository of data about real IT systems. It's built on thousands of analyzed applications, made of 35 different technologies, by over 300 business organizations across major verticals. It provides IT Leaders with factual key analytics to let them know if their applications are on track.

Benchmark Statistics

Global Compliance

99.81%

Total Violations

212

Total Opportunities

108,803

Average Violations / App.

1.04

The compliance score represents 1 minus the ratio between the number of times a rule has been violated compared to the number of opportunities in a set of applications that the rule could have been violated.

Industry Insights

Select from drop-down

99.75%

Software ISV

99.95%

Insurance

99.68%

Want more stats? Register now!