SQL injection from formatted SQL string in JDBC Statement

Critical Risk sql-injection
javajdbcsql-injectionstatementstring-formatting

What it is

SQL injection vulnerability where SQL uses concatenated or formatted variables executed via Statement without parameters, potentially allowing attackers to read or modify database data and execute dangerous operations.

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

ℹī¸ Configuration Fix

Configuration changes required - see explanation below.

💡 Explanation

Why it happens

Using String.format(), concatenation, or StringBuilder to build SQL queries with variables.

Root causes

String Formatting in SQL Construction

Using String.format(), concatenation, or StringBuilder to build SQL queries with variables.

Statement Instead of PreparedStatement

Using java.sql.Statement for dynamic queries instead of parameterized PreparedStatement.

Fixes

1

Replace Statement with PreparedStatement

Use PreparedStatement with ? placeholders and bind variables using setter methods.

View implementation 
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?"); stmt.setInt(1, userId);
2

Eliminate String Formatting in SQL

Remove all uses of String.format, concatenation, and StringBuilder for SQL construction.

View implementation 
Replace formatted strings with parameter placeholders and proper binding
3

Avoid Dynamic SQL Construction

When possible, use static SQL with parameters rather than building queries dynamically.

View implementation 
Pre-define common query patterns and use conditional logic for variations

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from formatted sql string in jdbc statement and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities