SQL injection from public method string in raw SQL in Spring

Critical Risk sql-injection
javaspringsql-injectionjdbc-templateraw-sql

What it is

SQL injection vulnerability where a public method String parameter is concatenated into a raw SQL statement instead of using parameterized queries, potentially allowing attackers to read or alter data, escalate privileges, or run arbitrary database operations.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Public method parameters are directly concatenated into raw SQL statements in Spring components.

Root causes

String Concatenation in Spring Controllers/Services

Public method parameters are directly concatenated into raw SQL statements in Spring components.

Improper JdbcTemplate Usage

Using JdbcTemplate with concatenated SQL instead of parameterized query methods.

Fixes

1

Use JdbcTemplate Parameterized Queries

Replace string concatenation with JdbcTemplate methods using ? placeholders and parameter arrays.

View implementation 
jdbcTemplate.queryForObject("SELECT * FROM users WHERE id = ?", new Object[]{userId}, User.class)
2

Use NamedParameterJdbcTemplate

For complex queries, use NamedParameterJdbcTemplate with named parameters for better readability.

View implementation 
namedTemplate.queryForObject("SELECT * WHERE id = :userId", params, User.class)
3

Validate Controller/Service Parameters

Implement comprehensive validation for all public method parameters used in database operations.

View implementation 
Use @Valid, custom validators, and input sanitization before database queries

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from public method string in raw sql in spring and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities