Uncontrolled data in SQL query¶

ID: cpp/sql-injection
Kind: path-problem
Security severity: 8.8
Severity: error
Precision: high
Tags:
   - security
   - external/cwe/cwe-089
Query suites:
   - cpp-code-scanning.qls
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

The code passes user input as part of a SQL query without escaping special elements. It generates a SQL query using sprintf, with the user-supplied data directly passed as an argument to sprintf. This leaves the code vulnerable to attack by SQL Injection.

Recommendation¶

Use a library routine to escape characters in the user-supplied string before converting it to SQL.

Example¶

int main(int argc, char** argv) {
  char *userName = argv[2];
  
  // BAD
  char query1[1000] = {0};
  sprintf(query1, "SELECT UID FROM USERS where name = \"%s\"", userName);
  runSql(query1);
  
  // GOOD
  char userNameSql[1000] = {0};
  encodeSqlString(userNameSql, 1000, userName); 
  char query2[1000] = {0};
  sprintf(query2, "SELECT UID FROM USERS where name = \"%s\"", userNameSql);
  runSql(query2);
}

References¶

MSDN Library: SQL Injection.
Common Weakness Enumeration: CWE-89.

© GitHub, Inc.
Terms
Privacy

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Alternative Proxies:

Alternative Proxy