SQL injection from HTTP request data in manual SQL string in Play

Critical Risk sql-injection

scalaplay-frameworkhttp-requestsql-injectionmanual-sql

What it is

SQL injection vulnerability where HTTP request parameters are concatenated into SQL text without parameter binding, potentially allowing attackers to expose or corrupt data, execute unintended queries, escalate privileges, and compromise the database and dependent services through untrusted characters that can break out of string context and alter the query structure.

Language:

Example:

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹ️ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Request parameters from forms, query strings, or path variables are directly concatenated into SQL strings.

Root causes

HTTP Request Parameter Concatenation

Request parameters from forms, query strings, or path variables are directly concatenated into SQL strings.

Manual SQL Construction

Building SQL queries manually with string operations instead of using parameterized query methods.

Fixes

Use PreparedStatement with Parameter Binding

Replace string concatenation with JDBC PreparedStatement and bind all user values as parameters.

View implementation

conn.prepareStatement("SELECT * WHERE id = ?"); stmt.setString(1, userId)

Use Play Framework Database APIs

Leverage Play's database access layers that provide parameter binding by default.

View implementation

Use Slick or Anorm with parameter binding instead of raw SQL construction

Validate All HTTP Request Data

Implement comprehensive validation for all HTTP request data before database operations.

View implementation

Use Play Form validation, custom constraints, and allow-lists for dynamic identifiers

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from http request data in manual sql string in play and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities

SQL injection from HTTP request data in manual SQL string in Play

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

HTTP Request Parameter Concatenation

Manual SQL Construction

Fixes

Use PreparedStatement with Parameter Binding

Use Play Framework Database APIs

Validate All HTTP Request Data

SQL injection from public method string in raw SQL in Spring

SQL injection from request data in Slick SQL string in Play

SQL Injection

Detect This Vulnerability in Your Code

SQL injection from HTTP request data in manual SQL string in Play

What it is

ℹ️ Configuration Fix

💡 Explanation

ℹ️ Configuration Fix

💡 Explanation

Why it happens

Root causes

HTTP Request Parameter Concatenation

Manual SQL Construction

Fixes

Use PreparedStatement with Parameter Binding

Use Play Framework Database APIs

Validate All HTTP Request Data

Related Vulnerabilities

SQL injection from public method string in raw SQL in Spring

SQL injection from request data in Slick SQL string in Play

SQL Injection

Detect This Vulnerability in Your Code