Skip to content

Security Cipher

  • Home
  • Blog
  • About Us
  • Resources
    • Security Terminologies
    • Vulnerability Explain
    • Secure Code Explain
    • Linux Commands
    • AWS Cloud Security Checklist
  • My Resume
Contact Us

Secure Code Explain

  • DOM Cross-Site-Scripting (XSS)
  • Stored Cross-Site-Scripting (XSS)
  • Reflected Cross-Site-Scripting (XSS)
  • SQL Injection
  • XXE Injection
  • Remote File Inclusion (RFI)
  • Local File Inclusion
  • Clickjacking
  • Remote Code Execution (RCE)
  • Insecure direct object references (IDOR)
  • Secure Cookie not set
  • Log Injection
  • Cross-Site Request Forgery (CSRF)
  • HttpOnly Flag not set

Vulnerability Explain

  • SQL Injection
  • Cross-Site-Scripting (XSS)
  • Home
  • Secure Code Explain
  • SQL Injection

SQL Injection

Table of Contents
  • 🥺 Vulnerable Code
  • 😎 Secure Code

Here is an example of Java code that is vulnerable to SQL Injection attack on productId parameter:

🥺 Vulnerable Code #

String productId = request.getParameter("id");
String query = "SELECT * FROM products WHERE id = " + productId;

Statement st = connection.createStatement();
ResultSet rs = st.executeQuery(query);

while (rs.next()) {
String name = rs.getString("name");
String description = rs.getString("description");
// display product details
}

This code is vulnerable to SQL injection attacks because it is directly concatenating user input (the “productId” parameter) into the SQL query string. An attacker could input a malicious value for the “productId” parameter that modifies the SQL query in unintended ways, such as adding additional clauses or comments.

😎 Secure Code #

To secure this code, you should use prepared statements with parameterized queries. This will prevent attackers from being able to inject malicious input into the query:

String productId = request.getParameter("id");
String query = "SELECT * FROM products WHERE id = ?";

PreparedStatement st = connection.prepareStatement(query);
st.setString(1, productId);
ResultSet rs = st.executeQuery();

while (rs.next()) {
String name = rs.getString("name");
String description = rs.getString("description");
// display product details
}

This code will safely escape any special characters in the “productId” parameter, preventing attackers from injecting malicious input into the query.

Share This Article :
  • Facebook
  • Twitter
  • LinkedIn
  • Pinterest
Reflected Cross-Site-Scripting (XSS)XXE Injection

Leave a Reply Cancel reply

Table of Contents
  • 🥺 Vulnerable Code
  • 😎 Secure Code
logo name

Learn penetration Testing …

Instagram Twitter Youtube Telegram Linkedin

Useful Links

Blogs
About
Contact

Recent Post

  • Threat Modeling : Everything You Need to Know for Web Application Security
  • How to Conduct a Successful Penetration Test: A Step-by-Step Guide
  • OSV-Scanner: Protecting Your Open-Source Dependencies

Subscribe Now

Don’t miss our future updates! Get Subscribed Today!

Subscription Form

By entering your email, you agree to our terms & Conditions and Privacy policy.

©2023. Security Cipher. All Rights Reserved.

Privacy Policies
Terms & Conditions