SQL injection from Lambda event data in JDBC SQL statement in AWS Lambda

Critical Risk sql-injection
javaaws-lambdajdbcsql-injectiondatabase

What it is

SQL injection vulnerability where Lambda event fields are concatenated into SQL strings executed by JDBC without parameterization or proper binding, potentially allowing attackers to read or modify data, dump tables, or alter schema via crafted Lambda event payloads.

import com.amazonaws.services.lambda.runtime.*;
import java.sql.*;
import java.util.Map;

public class DatabaseLambda implements RequestHandler<Map<String, Object>, String> {
    
    public String handleRequest(Map<String, Object> event, Context context) {
        Connection conn = DriverManager.getConnection(System.getenv("DATABASE_URL"));
        Statement stmt = conn.createStatement();
        
        Map<String, String> pathParams = (Map<String, String>) event.get("pathParameters");
        String userId = pathParams.get("userId");
        String status = pathParams.get("status");
        
        // VULNERABLE: String concatenation
        String query = "SELECT * FROM users WHERE id = '" + userId + 
                      "' AND status = '" + status + "'";
        
        ResultSet rs = stmt.executeQuery(query);
        
        return "{\"status\": \"success\"}";
    }
}
import com.amazonaws.services.lambda.runtime.*;
import java.sql.*;
import java.util.Map;

public class DatabaseLambda implements RequestHandler<Map<String, Object>, String> {
    
    public String handleRequest(Map<String, Object> event, Context context) {
        Connection conn = DriverManager.getConnection(System.getenv("DATABASE_URL"));
        
        Map<String, String> pathParams = (Map<String, String>) event.get("pathParameters");
        String userId = pathParams.get("userId");
        String status = pathParams.get("status");
        
        // SECURE: PreparedStatement with ? placeholders
        PreparedStatement stmt = conn.prepareStatement(
            "SELECT * FROM users WHERE id = ? AND status = ?"
        );
        
        stmt.setString(1, userId);
        stmt.setString(2, status);
        
        ResultSet rs = stmt.executeQuery();
        
        return "{\"status\": \"success\"}";
    }
}

💡 Why This Fix Works

The vulnerable code uses string concatenation with Statement.executeQuery() to build SQL queries with Lambda event data, allowing SQL injection attacks. The fixed version uses PreparedStatement with ? placeholders and setString() methods to safely bind parameters.

Why it happens

Lambda event fields are directly concatenated into SQL strings executed by JDBC Statement.

Root causes

Event Field Concatenation in JDBC

Lambda event fields are directly concatenated into SQL strings executed by JDBC Statement.

Improper JDBC Usage

Using Statement instead of PreparedStatement for queries containing event data.

Fixes

1

Use PreparedStatement with Parameter Binding

Replace Statement with PreparedStatement and bind all variables using setString/setInt methods.

View implementation 
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?"); stmt.setString(1, userId);
2

Use Spring JdbcTemplate for Parameterized Queries

When using Spring, leverage JdbcTemplate's parameterized query methods for safer database access.

View implementation 
jdbcTemplate.queryForObject("SELECT * FROM users WHERE id = ?", new Object[]{userId}, User.class)
3

Validate and Constrain Event Inputs

Implement strict validation for all Lambda event inputs before using them in database operations.

View implementation 
Validate data types, ranges, formats, and use allow-lists for expected values

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from lambda event data in jdbc sql statement in aws lambda and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities