Hi Chamila, Some programs accept untrusted data originated from invalid sources and then passes to different trusted domains. Most of the times the data is in the form of a string with some internal syntactic structure, which the subsystem must parse. Such data must be sanitized both because the subsystem may be unprepared to handle the malformed input and because unsanitized input may include an injection attack.
As an example: The problem: The sqlString, mentioned below accepts unsanitized input arguments. So it may permits a sql injection attack public void accessPermission(String username,char[] password)throws SQLException { String sqlString = "SELECT * FROM db_user WHERE username = '" + username +"' AND password ='" + pwd + "'"; } The solution: public void accessPermission(String username, char[] password)throws SQLException{ String sqlString = "select * from db_user whereusername=? and password=?"; PreparedStatement stmt =connection.prepareStatement(sqlString); stmt.setString(1, username); stmt.setString(2, pwd); } This API can be used for building SQL commands that sanitize untrusted data Thanks and Reagards, Hasanthi Dissanayake Software Engineer | WSO2 E: hasan...@wso2.com <nirosh...@wso2.com> M :0718407133| http://wso2.com <http://wso2.com/> On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna <cham...@wso2.com> wrote: > Hi Rajeevan, > > Value of CHECK_EXIST_USER_DATA is "SELECT " + "DATA_VALUE " + "FROM > IDN_IDENTITY_USER_DATA " + "WHERE TENANT_ID = ? AND USER_NAME = ? AND > DATA_KEY=?". > I tried "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID = > ? AND USER_NAME = ? AND DATA_KEY=?" and > "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND > USER_NAME=? AND DATA_KEY=?" as well. But getting the same result still. > > Thanks. > > On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan <rajeev...@wso2.com> > wrote: > >> Hi Chamila, >> >> What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a constant? >> You can find a similar issue reported at [1]. >> >> [1] >> http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability >> >> Thanks, >> Rajeevan >> >> On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna <cham...@wso2.com> >> wrote: >> >>> Hello all, >>> >>> When profiling using Sonar, I'm getting error as in $subject >>> (squid:S2077) from [1]. What is the reason for this warning? how can I >>> solve this? >>> >>> 1. >>> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92 >>> >>> Thank You! >>> >>> -- >>> *Chamila Dilshan Wijayarathna,* >>> Software Engineer >>> Mobile:(+94)788193620 >>> WSO2 Inc., http://wso2.com/ >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> >> Vimalanathan Rajeevan >> Software Engineer >> WSO2 Inc.:http://wso2.com >> lean.enterprise.middleware >> >> >> Mobile : +94 773090875 >> > > > > -- > *Chamila Dilshan Wijayarathna,* > Software Engineer > Mobile:(+94)788193620 > WSO2 Inc., http://wso2.com/ > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev