Reputation: 740
Securing a static SQL query from SQL Injection
I have an application which reads thousands of flat files containing database parameters and static SQL statements. In my java code i take the SQL statement and execute it. This is not acceptable to Fortify due to probable SQL Injection vulnerability. e.g. my flat file is something like below:
query: SELECT USER_ID FROM SOME_TABLE WHERE ID='2'
I take the query and execute it.
My question is how can i make such static SQLs safe? Is there a way to convert these SQLs into PreparedStatements?
Upvotes: 0
Views: 1380
Answers (1)
Reputation: 262534
If you don't alter the SQL statements read from your file based on user input, then there is no SQL injection.
On the other hand, if you don't have tight control over what can end up in this file (who can edit it?), then the whole program is a huge SQL injector.
You can make your code review tool happy by using PreparedStatement even if there are no bind parameters. This of course does not improve security in any way.
Upvotes: 1
Related Questions
- How to build query in Java to prevent SQL injection using prepared statement
- Avoiding SQL injection while constructing SELECT
- Prevent this statement from SQL injection
- Preventing SQL Injection in JDBC without using Prepared Statements
- Fortify flagging query as sqlInjection when passing in parameters to a method
- Blind Sql injection despite using prepared statement
- Preventing SQL injection without prepared statements (JDBC)
- Does prepared statement prevent SQL-Injection here
- SQL injection and prepared statements
- Avoiding SQL Injection