Hi Chamila,
Some programs accept untrusted data originated from invalid sources and
then passes to different trusted domains. Most of the times the data is in
the form of a string with some internal syntactic structure, which the
subsystem must parse. Such data must be sanitized both because the
subsystem may be unprepared to handle the malformed input and because
unsanitized input may include an injection attack.
As an example:
The problem:
The sqlString, mentioned below accepts unsanitized input arguments. So it
may permits a sql injection attack
public void accessPermission(String username,char[] password)throws
SQLException {
String sqlString = "SELECT * FROM db_user
WHERE username = '" + username +"' AND password ='" + pwd + "'";
}
The solution:
public void accessPermission(String username,
char[] password)throws SQLException{
String sqlString = "select * from db_user whereusername=? and password=?";
PreparedStatement stmt =connection.prepareStatement(sqlString);
stmt.setString(1, username);
stmt.setString(2, pwd);
}
This API can be used for building SQL commands that sanitize untrusted data
Thanks
and Reagards,
Hasanthi Dissanayake
Software Engineer | WSO2
E: hasan...@wso2.com <nirosh...@wso2.com>
M :0718407133| http://wso2.com <http://wso2.com/>
On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna <cham...@wso2.com>
wrote:
> Hi Rajeevan,
>
> Value of CHECK_EXIST_USER_DATA is "SELECT " + "DATA_VALUE " + "FROM
> IDN_IDENTITY_USER_DATA " + "WHERE TENANT_ID = ? AND USER_NAME = ? AND
> DATA_KEY=?".
> I tried "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID =
> ? AND USER_NAME = ? AND DATA_KEY=?" and
> "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND
> USER_NAME=? AND DATA_KEY=?" as well. But getting the same result still.
>
> Thanks.
>
> On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan <rajeev...@wso2.com>
> wrote:
>
>> Hi Chamila,
>>
>> What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a constant?
>> You can find a similar issue reported at [1].
>>
>> [1]
>> http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability
>>
>> Thanks,
>> Rajeevan
>>
>> On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna <cham...@wso2.com>
>> wrote:
>>
>>> Hello all,
>>>
>>> When profiling using Sonar, I'm getting error as in $subject
>>> (squid:S2077) from [1]. What is the reason for this warning? how can I
>>> solve this?
>>>
>>> 1.
>>> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92
>>>
>>> Thank You!
>>>
>>> --
>>> *Chamila Dilshan Wijayarathna,*
>>> Software Engineer
>>> Mobile:(+94)788193620
>>> WSO2 Inc., http://wso2.com/
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>>
>> --
>>
>> Vimalanathan Rajeevan
>> Software Engineer
>> WSO2 Inc.:http://wso2.com
>> lean.enterprise.middleware
>>
>>
>> Mobile : +94 773090875
>>
>
>
>
> --
> *Chamila Dilshan Wijayarathna,*
> Software Engineer
> Mobile:(+94)788193620
> WSO2 Inc., http://wso2.com/
>
> _______________________________________________
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
