SQL injection from event data in SQL string in AWS Lambda with pymssql

Critical Risk sql-injection

pythonaws-lambdapymssqlsqlinjectionserverless

What it is

SQL injection vulnerability in AWS Lambda functions where user-controlled event values are concatenated into SQL queries and passed to cursor.execute without parameters in pymssql, potentially allowing attackers to read or modify database data, execute dangerous queries, or compromise application integrity.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Lambda event fields are directly concatenated or formatted into SQL strings without parameterization.

Root causes

Direct Event Data Concatenation

Lambda event fields are directly concatenated or formatted into SQL strings without parameterization.

Missing Parameter Binding

Using pymssql cursor.execute() with formatted strings instead of parameter placeholders.

Fixes

Use Parameterized Queries

Always use parameter placeholders with pymssql cursor.execute().

View implementation

cursor.execute('SELECT * FROM users WHERE id=%s', (user_id,))

Validate Event Data

Validate and cast Lambda event values to expected types before use.

View implementation

Ensure IDs are integers, validate string formats, check allowed values

Use Stored Procedures

For complex queries, use stored procedures with parameter binding.

View implementation

cursor.callproc('GetUserById', [user_id])

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from event data in sql string in aws lambda with pymssql and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from event data in SQL string in AWS Lambda with pymssql

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Direct Event Data Concatenation

Missing Parameter Binding

Fixes

Use Parameterized Queries

Validate Event Data

Use Stored Procedures

SQL injection from AWS Lambda event data in MySQL query execution

SQL injection from AWS Lambda event data in PyMySQL query

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from event data in SQL string in AWS Lambda with pymssql

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

Direct Event Data Concatenation

Missing Parameter Binding

Fixes

Use Parameterized Queries

Validate Event Data

Use Stored Procedures

Related Vulnerabilities

SQL injection from AWS Lambda event data in MySQL query execution

SQL injection from AWS Lambda event data in PyMySQL query

SQL Injection

Detect This Vulnerability in Your Code