SQL injection from event data in SQL string in AWS Lambda

Critical Risk sql-injection
javaaws-lambdasql-injectionjdbcstring-concatenation

What it is

SQL injection vulnerability where untrusted Lambda event fields are concatenated into SQL strings (e.g., StringBuilder or String.format) instead of using parameterized statements, potentially allowing attackers to read, modify, or delete database records, escalate privileges, or run destructive queries.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly concatenated into SQL strings using StringBuilder, String.format, or + operator.

Root causes

String Concatenation with Event Data

Lambda event fields are directly concatenated into SQL strings using StringBuilder, String.format, or + operator.

Missing PreparedStatement Usage

Failing to use JDBC PreparedStatement with proper parameter binding for dynamic queries.

Fixes

1

Use PreparedStatement with Parameter Binding

Replace string concatenation with PreparedStatement and bind values using setString, setInt, etc.

View implementation 
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?"); stmt.setString(1, userId);
2

Validate and Type-Check Event Inputs

Implement comprehensive validation for all Lambda event fields before using them in queries.

View implementation 
Validate that IDs are integers, strings match expected patterns, check against allow-lists
3

Consider JPA/Hibernate for ORM Protection

Use ORM frameworks that generate parameterized SQL by default to reduce injection risks.

View implementation 
entityManager.createQuery("SELECT u FROM User u WHERE u.id = :id").setParameter("id", userId)

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from event data in sql string in aws lambda and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities