Skip to content

SQL Injection

Description

A SQL injection vulnerability occurs when users can insert - inject - malicious SQL code in a legit SQL query that is built from user-submitted input. A successful SQL injection exploit can read sensitive data from the database, modify database data, execute administration operations on the database (such as shutting down the DBMS), recover the content of a given file from the DBMS file system and in some cases issue commands to the operating system.

Remediation

Primary defenses:

  • Use of Prepared Statements (with parameterized queries). This prevention techniques is the most effective one as it will completely shutdown any SQL injection attacks. Keep in mind that prepared statements must be used everywhere, even if no user inputted data is found in the query.
  • Use of Stored Procedures.
  • Allow-list Input Validation. Usage whitelist is recommended to prevent SQL injection attacks as whitelisting is more effective then black listing.
  • Escaping all user supplied input.

Additional defenses:

  • Enforcing Least Privilege.
  • Performing Allow-list Input Validation as a secondary line of defense.

GraphQL Specific

Apollo To prevent SQL injection in the Apollo framework engine, ensure that all database queries are constructed using parameterized statements or prepared statements. This approach separates the SQL logic from the data input, effectively neutralizing the potential for malicious input to alter the structure of the SQL command. Additionally, employ input validation to whitelist acceptable input patterns and reject any suspicious or unexpected data. Regularly update the Apollo framework and its dependencies to incorporate security patches. Implement proper error handling to avoid revealing sensitive information in error messages that could aid an attacker. Lastly, consider using ORM (Object-Relational Mapping) libraries that inherently use parameterized queries to further reduce the risk of SQL injection attacks.
Yoga To prevent SQL injection in the Yoga framework engine, ensure that all database queries are performed using parameterized statements or prepared statements. This approach allows the database to distinguish between code and data, regardless of user input. The Yoga framework should utilize its database abstraction layer correctly to prepare queries, which will effectively mitigate the risk of SQL injection attacks. Additionally, always validate and sanitize user input to reduce the attack surface further. Implementing proper error handling and logging mechanisms can also help in identifying and responding to any attempted attacks promptly.
Awsappsync To mitigate SQL injection vulnerabilities in AWS AppSync, ensure that all database queries are constructed using parameterized statements or prepared statements, which separate the SQL logic from the input data. Additionally, use AWS AppSync's built-in VTL (Velocity Template Language) resolvers to sanitize and validate all input data before it is processed in your queries. Implement proper authorization checks and access controls to limit data exposure. Regularly update and patch your GraphQL schema and underlying data sources to address any security vulnerabilities. Employ AWS WAF (Web Application Firewall) to provide an additional layer of security with custom rules designed to block malicious SQL injection attempts.
Graphqlgo To mitigate SQL injection risks in a GraphQL Go framework engine, ensure that all database queries are constructed using parameterized statements or prepared statements, which separate the query structure from the data inputs. Additionally, employ input validation to whitelist allowable characters and reject potentially malicious input. Implement proper error handling to avoid exposing database schema information. Regularly review and update dependencies to incorporate security patches for the GraphQL framework and associated libraries.
Graphqlruby In the GraphQL Ruby framework, to prevent SQL injection, ensure that all user-supplied input is validated and sanitized. Use the built-in mechanisms for parameterization provided by GraphQL types and avoid directly interpolating variables into queries. Always use the query object's methods to construct conditions, and never construct SQL fragments manually. Additionally, employ Active Record or another ORM's built-in protections, which use parameterized queries to safely handle user input.
Hasura To prevent SQL injection in Hasura, ensure that all user inputs are validated and use prepared statements with variable binding. Avoid constructing SQL queries with string concatenation. Additionally, leverage Hasura's role-based access control to restrict data access and permissions.
Agoo Validate and sanitize all user inputs, and use parameterized queries or prepared statements in the Agoo framework to prevent SQL injection vulnerabilities.
Ariadne Implement input validation and use parameterized queries in the Ariadne framework to prevent SQL injection by ensuring that user inputs are properly sanitized and not directly included in SQL statements.
Caliban Implement input validation and use parameterized queries in the Caliban framework to prevent SQL injection vulnerabilities.
Dgraph Implement input validation and use parameterized queries to prevent SQL injection in the Dgraph framework engine.
Dianajl Implement input validation and use parameterized queries in the Dianajl framework engine to prevent SQL injection vulnerabilities.
Directus Ensure all database queries in the Directus framework use parameterized queries or prepared statements to prevent SQL injection vulnerabilities.
Flutter Validate and sanitize all user inputs to prevent injection attacks in the Flutter framework.
Graphene Utilize Graphene's built-in input validation and parameterized queries to prevent SQL injection by ensuring that all user inputs are properly sanitized and validated before being used in database queries.
Graphqlapiforwp Implement input validation and sanitization for all user inputs in the GraphQL API for WP framework to prevent malicious queries. Use parameterized queries or prepared statements to ensure that user inputs are not directly concatenated into database queries.
Graphqlgophergo Validate and sanitize all user inputs, use parameterized queries, and employ a library that automatically escapes GraphQL queries to prevent injection attacks in the GopherJS framework.
Graphqljava Validate and sanitize all user inputs, and use parameterized queries or prepared statements to prevent injection attacks in GraphQL Java.
Graphqlphp Use prepared statements and input validation to prevent SQL injection in the graphqlphp framework.
Graphqlyoga Validate and sanitize all user inputs, and use parameterized queries or prepared statements in the GraphQL Yoga framework to prevent SQL injection vulnerabilities.
Hypergraphql Validate and sanitize all user inputs, and use parameterized queries to prevent SQL injection in the HyperGraphQL framework.
Jaal Implement input validation and use parameterized queries in the Jaal framework engine to prevent SQL injection vulnerabilities.
Juniper Implement input validation and use parameterized queries in the Juniper framework engine to prevent SQL injection vulnerabilities.
Lacinia Validate and sanitize all user inputs to prevent SQL injection vulnerabilities in the Lacinia framework engine.
Lighthouse Implement input validation and sanitization to prevent malicious code execution in the Lighthouse framework engine.
Mercurius Ensure that all database queries in the Mercurius framework engine use parameterized queries or prepared statements to prevent SQL injection vulnerabilities. Avoid directly embedding user input into SQL statements and validate all inputs to ensure they conform to expected formats.
Morpheusgraphql Implement input validation and sanitization in Morpheus GraphQL framework to prevent SQL injection by ensuring that all user inputs are properly escaped and use parameterized queries to safely construct SQL statements.
Qglgen Use parameterized queries or prepared statements in gqlgen to prevent SQL injection by ensuring that user inputs are safely handled and not directly concatenated into SQL queries.
Sangria Utilize Sangria's argument validation and input coercion features to ensure that all user inputs are properly sanitized and validated before being used in database queries.
Shopify Utilize Shopify's Liquid templating language and built-in security features to sanitize user inputs and prevent SQL injection vulnerabilities.
Stepzen Ensure that all database queries in the StepZen framework use parameterized queries or prepared statements to prevent SQL injection vulnerabilities. Avoid directly embedding user input into SQL statements and validate or sanitize all inputs to ensure they conform to expected formats.
Strawberry Implement input validation and use parameterized queries in the Strawberry Framework engine to prevent SQL injection vulnerabilities.
Tartiflette Ensure that all database queries in the Tartiflette framework engine use parameterized queries or prepared statements to prevent SQL injection vulnerabilities. Avoid directly embedding user input into SQL queries and validate or sanitize inputs where necessary.
Wpgraphql Ensure all database queries in the WPGraphQL framework use prepared statements or parameterized queries to prevent SQL injection vulnerabilities.

REST Specific

Asp_net In ASP.NET, prevent SQL injection by utilizing parameterized queries with SqlCommand or Entity Framework, employing stored procedures, and validating user inputs. Additionally, use ORM tools like Entity Framework which inherently protect against SQL injection by handling data as strongly typed objects rather than constructing SQL queries using string concatenation. Always encode user inputs if they are used in SQL queries, and regularly update your database management system to patch any known vulnerabilities.
Ruby_on_rails In Ruby on Rails, use the ActiveRecord query interface which automatically handles parameterized queries to prevent SQL injection. For example, instead of using string interpolation, use the `where` method like this: `User.where('name = ?', params[:name])`. Also, ensure that raw SQL is avoided unless absolutely necessary and always sanitize input with methods like `quote` or `sanitize_sql_array` if you must use raw SQL.
Next_js In Next.js applications, prevent SQL injection by using parameterized queries or prepared statements with libraries like `pg` for PostgreSQL. Avoid concatenating user input directly into SQL queries. Instead, use query parameters to ensure that user input is treated as data, not executable code. Additionally, employ input validation and ORM libraries that provide built-in protections against SQL injection.
Laravel In Laravel, use Eloquent ORM or the query builder's parameter binding to prevent SQL injection. Both methods ensure that user input is treated as data rather than executable code. For raw SQL queries, use prepared statements with named or positional binding. Additionally, validate and sanitize user inputs to strengthen security.
Express_js In Express.js, prevent SQL injection by using parameterized queries with libraries like 'mysql' or 'pg'. Avoid concatenating user inputs directly into SQL statements. Instead, use placeholders (e.g., '?', '$1') for inputs and provide parameters separately to the query function. This ensures that user input is treated as data, not executable code. Additionally, employ ORM libraries like Sequelize which automatically handle parameterization, and regularly validate and sanitize user input to further reduce injection risks.
Django In Django, use the ORM to create SQL queries, as it automatically escapes user inputs. If raw SQL must be used, employ Django's built-in parameterized query support with the 'params' argument to avoid SQL injection by ensuring that user inputs are properly escaped.
Symfony In Symfony, use the Doctrine ORM or DBAL's prepared statements to mitigate SQL injection risks. Always use parameterized queries or Doctrine's DQL (Doctrine Query Language) to ensure that user input is handled safely. Avoid concatenating or interpolating user input directly into SQL queries. Additionally, regularly validate and sanitize user input to prevent malicious data from being processed.
Spring_boot In Spring Boot, prevent SQL injection by using JPA Repository or Spring Data interfaces for database access. These abstractions use parameterized queries, which ensure that user input is treated as data rather than executable code. Additionally, avoid constructing SQL queries through string concatenation with user input, and use Hibernate's Criteria API or JPQL with bind parameters to further safeguard against injection attacks.
Flask In Flask, use SQLAlchemy or another ORM that supports parameterized queries to prevent SQL injection. Ensure that raw SQL queries are avoided, or if necessary, use contextually appropriate escaping functions provided by the database driver, such as `escape()` in MySQL-Python. Additionally, validate and sanitize all user inputs to enforce proper input format.
Nuxt In Nuxt.js applications, prevent SQL injection by using libraries that support parameterized queries or prepared statements, such as `knex.js` or `sequelize`. Always validate and sanitize user input, and avoid directly concatenating user input into SQL queries. Implement proper error handling to prevent the exposure of database details. Additionally, use ORM (Object-Relational Mapping) libraries that abstract SQL execution and inherently protect against SQL injection.
Fastapi In FastAPI, to prevent SQL injection, use ORM libraries like SQLAlchemy which employ parameterized queries. Ensure that all database queries are constructed using ORM methods rather than string concatenation or interpolation. For raw SQL queries, use FastAPI's database dependencies with query parameters instead of formatting strings directly. Regularly update dependencies to incorporate security fixes.
Frappe Utilize ORM methods provided by the Frappe framework to prevent direct SQL execution and ensure all database queries are parameterized.
Genzio Implement input validation and use parameterized queries in the Genzio framework engine to prevent SQL injection vulnerabilities.
Gin Use parameterized queries with the Gin framework by utilizing prepared statements to safely handle user inputs and prevent SQL injection vulnerabilities.
Gorilla Implement input validation and use prepared statements with parameterized queries in the Gorilla framework to prevent SQL injection vulnerabilities.
Hapi Use parameterized queries with hapi's query builders or ORM libraries like Sequelize to prevent SQL injection by ensuring user inputs are treated as data, not executable code.
Hono Validate and sanitize all user inputs, and use parameterized queries or prepared statements to prevent SQL injection in the Hono framework engine.
Jersey Use parameterized queries in the Jersey framework to prevent SQL injection by ensuring that user input is treated as data, not executable code. This can be achieved by using PreparedStatement objects in your database interactions, which safely handle user inputs and prevent malicious SQL code execution.
Koa Use parameterized queries with libraries like 'knex' or 'sequelize' in the Koa framework to prevent SQL injection by ensuring user inputs are safely handled and not directly concatenated into SQL statements.
Ktor Use parameterized queries with Ktor's Exposed library to prevent SQL injection by safely binding user inputs to SQL statements.
Leptos Validate and sanitize all user inputs, and use parameterized queries or prepared statements to prevent SQL injection vulnerabilities in the Leptos framework engine.
Macaron Utilize the Macaron framework's built-in ORM or database libraries that support parameterized queries to prevent SQL injection vulnerabilities.
Phoenix Use Ecto's query interpolation to safely handle user input and prevent SQL injection in the Phoenix framework.
Redwoodjs In RedwoodJS, use Prisma's parameterized queries to prevent SQL injection by ensuring that user inputs are safely handled and not directly interpolated into SQL statements.
Rocket Utilize Rocket's built-in request guards to validate and sanitize user inputs, and employ parameterized queries with the database connection to prevent SQL injection vulnerabilities.
Sveltekit Utilize SvelteKit's built-in data validation and sanitization features to ensure user inputs are properly handled before being used in SQL queries, and always use parameterized queries to prevent SQL injection vulnerabilities.

Configuration

Identifier: injection/sql

Options

  • skip_objects : List of object that are to be skipped by the security test.

Examples

Ignore this check

checks:
  injection/sql:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-7

Classification

  • CWE: 89

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C
  • CVSS_SCORE: 8.7

References