Using dynamic SQL queries that concatenate user input directly into the query string can lead to SQL injection vulnerabilities. Attackers can manipulate the input to alter the SQL query’s structure, potentially gaining unauthorized access to or manipulating the database.
No issue will be raised if one of the functions is called with hard-coded string (no concatenation) and this string does not contain a "$" sign.
$result = mysql_query("SELECT * FROM myTable WHERE id = 42") or die('Query failed: ' . mysql_error()); // Compliant
The current implementation does not follow variables. It will only detect SQL queries which are concatenated or contain a $ sign
directly in the function call.
$query = "SELECT * FROM myTable WHERE id = " . $id; $result = mysql_query($query); // No issue will be raised even if it is Sensitive
To prevent SQL injection vulnerabilities, use prepared statements with parameterized queries. This approach separates the SQL code from the data, ensuring that user input is treated as data only and not executable code.
$id = $_GET['id'];
mysql_connect('localhost', $username, $password) or die('Could not connect: ' . mysql_error());
mysql_select_db('myDatabase') or die('Could not select database');
$result = mysql_query("SELECT * FROM myTable WHERE id = " . $id); // Noncompliant, could be susceptible to SQL injection
while ($row = mysql_fetch_object($result)) {
echo $row->name;
}
$id = $_GET['id'];
try {
$conn = new PDO('mysql:host=localhost;dbname=myDatabase', $username, $password);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare('SELECT * FROM myTable WHERE id = :id');
$stmt->execute(array('id' => $id));
while($row = $stmt->fetch(PDO::FETCH_OBJ)) {
echo $row->name;
}
} catch(PDOException $e) {
echo 'ERROR: ' . $e->getMessage();
}