HttpServletRequest request = ...; String userName = request.getParameter("name"); Connection con = ... String query = "SELECT * FROM Users " + " WHERE name = ’" + userName + "’"; con.execute(query);
exec store proc
This code snippet obtains a user name (userName) by invoking request.getParameter("name") and uses it to construct a query to be passed to a database for execution (con.execute(query)). This seemingly innocent piece of code may allow an attacker to gain access to unauthorized information: if an attacker has full control of string userName obtained from an HTTP request, he can for example set it to ’OR 1 = 1;−−. Two dashes are used to indicate comments in the Oracle dialect of SQL, so the WHERE clause of the query effectively becomes the tautology name = ’’ OR 1 = 1. This allows the attacker to circumvent the name check and get access to all user records in the database 现在这个漏洞还有吗？
java ,用 PreparedStatement 这个对象
why you take all down n heading to c++?
In the code below, string param is tainted because it is returned from a source method getParameter. So is buf1, because it is derived from param in the call to append on line 6. Finally, string query is passed to sink method executeQuery. 1 String param = req.getParameter("user"); 2 3 StringBuffer buf1; 4 StringBuffer buf2; 5 ... 6 buf1.append(param); 7 String query = buf2.toString(); 8 con.executeQuery(query); Unless we know that variables buf1 and buf2 may never refer to the same object, we would have to conservatively assume that they may. Since buf1 is tainted, variable query may also refer to a tainted object. Thus a conservative tool that lacks additional information about pointers will flag the call to executeQuery on line 8 as potentially unsafe.