Top 10 2010-A1-Injection

The application uses untrusted data in the construction of the following vulnerable SQL call:
 *  String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") +"'"; 

The attacker modifies the 'id' parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer's.
 *  http://example.com/app/accountView?id=' or 1'='1 

In the worst case, the attacker uses this weakness to invoke special stored procedures in the database, allowing a  complete takeover of the database host.


 * OWASP SQL Injection Prevention Cheat Sheet
 * OWASP Injection Flaws Article
 * ESAPI Encoder API
 * ESAPI Input Validation API
 * ASVS: Output Encoding/Escaping Requirements (V6)
 * OWASP Testing Guide: Chapter on SQL Injection Testing
 * OWASP Code Review Guide: Chapter on SQL Injection
 * OWASP Code Review Guide: Command Injection


 * CWE Entry 77 on Command Injection
 * CWE Entry 89 on SQL Injection