Home

Rule description

• Database queries should not be vulnerable to injection attacks

Non-compliant Code Example

string query = "Delete FROM employee WHERE emp_id = '" + ls_valor + "'" // Possible sql injection

string query = "Select * FROM Users WHERE Username = '" + ls_valor + "'" // Possible sql injection

string query = "Insert INTO employee(emp_id) Values('" + ls_valor + "')" // Possible sql injection

string query = "SELECT emp_id FROM employee WHERE " + ls_where // Possible sql injection