0

We recently had security scan done for our application and we found few blind sql injection issues . However i found that we are getting this issue even after using prepared statement .

Using prepared statement alone does not solve bind sql injection issues? Having string concatenation in prepared statement spoils all the advantage ?

private static final String selectStaement=" select email,phone from tuser where name=? ";
public void execute(String name) throws SQLException {
    PreparedStatement preparedStatement = theConnection.prepareStatement(selectStaement + " ORDER by name");

    preparedStatement.setString(1, name);
    rs = preparedStatement.executeQuery();

}

Can anybody let me know whats wrong with this code and how to solve this ? is data validation only way ? what if i want to allow all chars ?

Vinay b
  • 139
  • 1
  • 2
  • 15
  • 2
    How do you know that this is still vulnerable to blind sql injection? I am not seeing it. Are you saying that because a scan said so, and if so, how did it reach that conclusion? Someone said so? You reached that conclusion based on what? – sstan Jul 13 '15 at 18:16
  • 2
    Your code is fine from a security standpoint. Your security scanner is just dumb and will report any SQL string concatenation as an error. – Neil McGuigan Jul 13 '15 at 18:34
  • How has it been scanned? By a dynamic scanner or by static analysis? – SilverlightFox Jul 14 '15 at 08:10
  • Dynamic scanner ibm appscan – Vinay b Jul 14 '15 at 15:34
  • This false positive can be triggered by inconsistent response times from your application. Blind SQL injection is detected by inserting sleep commands, and finding out if your application takes longer to respond. PS. Don't forget to include @silverlightfox when replying, otherwise they don't get notified (I only found this by chance). – SilverlightFox Jul 15 '15 at 07:23
  • @silverlightfox I am getting inconsistent response for the same request but with parameter beings modified by appscan – Vinay b Jul 15 '15 at 11:45

1 Answers1

1

Your code is fine from the security standpoint and this is a false alarm reported by the the scanner (whichever one it is).

You should probably configure the scanner to ignore these kinds of warnings.

Dragan Bozanovic
  • 23,102
  • 5
  • 43
  • 110
  • 3
    Agreed it's a False Positive, but disagree that you should ignore these warnings. It should be marked as a False Positive and move on. – LaJmOn Jul 14 '15 at 14:41