SQL injection vulnerability in Java applications using JDBC where user input is directly concatenated into SQL queries using Statement instead of PreparedStatement.
import java.sql.*;
public class UserDAO {
private Connection connection;
public User getUserById(String userId) throws SQLException {
// VULNERABLE: String concatenation
String query = "SELECT * FROM users WHERE id = " + userId;
Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery(query);
if (rs.next()) {
return new User(
rs.getInt("id"),
rs.getString("username"),
rs.getString("email")
);
}
return null;
}
}import java.sql.*;
public class UserDAO {
private Connection connection;
public User getUserById(int userId) throws SQLException {
// SECURE: Using PreparedStatement
String query = "SELECT * FROM users WHERE id = ?";
try (PreparedStatement pstmt = connection.prepareStatement(query)) {
pstmt.setInt(1, userId);
ResultSet rs = pstmt.executeQuery();
if (rs.next()) {
return new User(
rs.getInt("id"),
rs.getString("username"),
rs.getString("email")
);
}
}
return null;
}
// Method with input validation
public User getUserByIdSafe(String userIdStr) throws SQLException, IllegalArgumentException {
// Validate and convert input
int userId;
try {
userId = Integer.parseInt(userIdStr);
} catch (NumberFormatException e) {
throw new IllegalArgumentException("Invalid user ID format");
}
if (userId <= 0) {
throw new IllegalArgumentException("User ID must be positive");
}
return getUserById(userId);
}
}PreparedStatement in Java automatically handles parameter escaping and prevents SQL injection. The method also shows proper input validation.
Using Statement.executeQuery with string concatenation instead of PreparedStatement with parameters is the primary cause of SQL injection in Java applications.
Sourcery automatically identifies java jdbc sql injection and many other security issues in your codebase.