List News Background articles Commentaries Development/Java IT Security Computer Guides & Tips

Secure Programming of Web Applications: SQL Code Injection

Added at 11/14/2020 by Frank Hissen

We can read about numerous successful attacks on well-known web applications on a weekly basis. Reason enough to study the background of "Web Application Security" of custom-made / self-developed applications - no matter if these are used only internally or with public access.

This is an excerpt from the book "Secure Programming of Web Applications: Web Application Security for Software Developers and Project Managers", also available as eBook
A corresponding online (video) training course exists: Online Course 'Web Application Security', also available on Udemy, and on request as HTML5/SCORM/Audio comment version


Users provide input data to a web application. This data is processed at the backend within SQL statements or NoSQL queries. A famous example would be a search function, but in general all user data is relevant here – it could also be a username or password (compare database queries for authentification).
When this user data is processed unfiltered as string within a statement, attackers could be able to alter the statement code itself and execute this at the backend. This might lead not only to unintentional data exposure but also to unintentional data or database modifications.

Simplified Code Sample including Security Vulnerability:

// (Java) // // Transfer of user input through framework/servlet/JSP/CGI // ... // Building database connection // ... Statement stm = con.createStatement(); stm.executeUpdate("UPDATE Table_User SET Password=’" + strInpPasswordNew + "’ WHERE (Name=’" + strInpUsername + "’) AND (Password=’" + strInpPasswordOld + "’);");

→ Explanation: For instance, an input string like "Password123’;--" (without quotation marks) causes overwriting all passwords in the table, because in SQL (not true for all DB systems) "--" starts a code comment so that the rest of the statement is simply ignored.

Secure Programming:

A strict separation of database commands and user inputs has to be implemented. For this purpose, well-established programming constructs have to be used. Own "filter methods" should never be used.


// (Java) // // Transfer of user input through framework/servlet/JSP/CGI // ... // Building database connection // ... PreparedStatement pstm = con.prepareStatement( "UPDATE Table_User SET Password=? WHERE (Name=?) AND (Password=?);"); pstm.setString(1, strInpPasswordNew); pstm.setString(2, strInpUsername); pstm.setString(3, strInpPasswordOld); pstm.executeUpdate();

→ In this example so called Prepared Statements have been used:

The API documentation of each programming environment contains further details about the corresponding application.


Secure Programming, Web Applications, Web Application Security, Software Developing, Project Management, Security Awareness

Categories: IT Security Background articles Development/Java


Post your comment


If you like this page, it would be a great thing if you share it with others:

Mail Facebook Twitter Pinterest LinkedIn
reddit Digg StumbleUpon XING
WhatsApp Telegram