SQL injection from AWS Lambda event data in PyMySQL query

Critical Risk sql-injection
pythonaws-lambdapymysqlsqlinjectionserverless

What it is

SQL injection vulnerability where untrusted AWS Lambda event fields flow into SQL strings passed to cursor.execute without parameters, allowing attacker-controlled tokens to alter query structure and potentially read or change data, run dangerous SQL functions, and expose sensitive information.

import pymysql
import json

def lambda_handler(event, context):
    body = json.loads(event['body'])
    username = body['username']
    status = event['queryStringParameters']['status']
    
    connection = pymysql.connect(
        host='database.example.com',
        user='dbuser',
        password='dbpass',
        database='mydb'
    )
    
    with connection.cursor() as cursor:
        # VULNERABLE: f-string interpolation
        sql = f"SELECT * FROM users WHERE username = '{username}'"
        cursor.execute(sql)
        
        # VULNERABLE: String concatenation
        query = "SELECT * FROM orders WHERE status = '" + status + "'"
        cursor.execute(query)
        
        results = cursor.fetchall()
    
    return {
        'statusCode': 200,
        'body': json.dumps(results)
    }
import pymysql
import json

def lambda_handler(event, context):
    body = json.loads(event['body'])
    username = body['username']
    status = event['queryStringParameters']['status']
    
    connection = pymysql.connect(
        host='database.example.com',
        user='dbuser',
        password='dbpass',
        database='mydb'
    )
    
    with connection.cursor() as cursor:
        # SECURE: Parameterized query with %s
        cursor.execute(
            'SELECT * FROM users WHERE username = %s',
            (username,)
        )
        
        # SECURE: Parameterized query
        cursor.execute(
            'SELECT * FROM orders WHERE status = %s',
            (status,)
        )
        
        results = cursor.fetchall()
    
    return {
        'statusCode': 200,
        'body': json.dumps(results)
    }

💡 Why This Fix Works

The vulnerable code uses f-strings and string concatenation to build SQL queries with Lambda event data, allowing SQL injection attacks. The fixed version uses parameterized queries with %s placeholders and parameter tuples to safely bind values.

Why it happens

Lambda event parameters are directly inserted into SQL queries without validation or parameterization.

Root causes

Unvalidated Event Data in SQL

Lambda event parameters are directly inserted into SQL queries without validation or parameterization.

String Formatting Instead of Parameters

Using Python string formatting methods instead of PyMySQL's parameter binding.

Fixes

1

Use PyMySQL Parameter Binding

Replace string concatenation with %s placeholders and parameter tuples.

View implementation 
cursor.execute('SELECT * FROM table WHERE id = %s', (event_id,))
2

Validate and Cast Event Fields

Validate Lambda event fields and cast to expected types before database operations.

View implementation 
Ensure numeric fields are integers, validate string patterns
3

Use Query Builders

Consider using query builders or ORMs that handle parameterization automatically.

View implementation 
Use SQLAlchemy or similar libraries for complex queries

Detect This Vulnerability in Your Code

Sourcery automatically identifies sql injection from aws lambda event data in pymysql query and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities