Create SqlInjection.java#8
Conversation
| String query = "SELECT account_balance FROM user_data WHERE user_name = " + customerName; | ||
| Statement statement = connection.createStatement(); | ||
| ResultSet results = statement.executeQuery(query); | ||
| return(results); |
There was a problem hiding this comment.
Automated PR Comment From Polaris SAST
Polaris SAST Issue - Improper Resource Shutdown or Release
High CWE-404
Leak of a system resource
The system resource will not be reclaimed and reused, reducing the future availability of the resource.
How to fix
The application must shut down or close any opened resource (such as a database connection, file handle, or input/output stream) after it is finished using that resource. The implementation should account for all possible execution paths where use of a resource ceases, including when exceptions occur.
Where possible, it is recommended to use the dispose pattern provided by the language or framework in question, e.g., the "using" statement in C# or the "try-with-resources" statement in Java to ensure a disposable or closeable object is disposed or closed on all paths exiting a block, including exception cases. Otherwise, calling "Dispose" (C#) or "close" (Java) in a "finally" block is equally effective but more verbose and prone to mistakes.
| String customerName = request.getParameter("customerName"); | ||
| String query = "SELECT account_balance FROM user_data WHERE user_name = " + customerName; | ||
| Statement statement = connection.createStatement(); | ||
| ResultSet results = statement.executeQuery(query); |
There was a problem hiding this comment.
Automated PR Comment From Polaris SAST
Polaris SAST Issue - SQL Injection
High CWE-89
Untrusted user-supplied data is inserted into a SQL statement without adequate validation, escaping, or filtering.
A user can change the intent of the SQL query, which may inappropriately disclose or corrupt data within the database.
How to fix
Rewrite all SQL queries constructed through dynamic concatenation to use an injection-safe query mechanism such as prepared statements with parameterized queries.
Most modern programming languages provide a feature called "parameterized queries" that allow user-supplied data to be inserted safely as values in dynamic SQL queries. Rather than construct the dynamic SQL query by concatenating user-supplied data to static SQL query string fragments, data values are identified in the query by parameter markers or variables. Dynamic data is then passed through a mechanism provided by SQL that prevents the supplied data from changing the meaning of the query.
Note: the exact syntax and use of prepared statements with parameterized queries vary from language to language.
No description provided.