1

I have the following enum:

public enum AccountStatus {

    ENABLED,
    CONFIRMATION_PENDING,
    EXPIRED,
    LOCKED,
    DISABLED,
    CREDENTIALS_EXPIRED,
}

That I'm binding to checkboxes in a JSP form:

<li><form:checkbox path="accountStatus" value="ENABLED" label="Enabled" /></li>
<li><form:checkbox path="accountStatus" value="CONFIRMATION_PENDING" label="Confirmation Pending" /></li>
...
<li><form:checkbox path="accountStatus" value="CREDENTIALS_EXPIRED" label="Credentials Expired" /></li>

In my controller when I get the selected checkbox values I convert the String to an Enum as follows:

AccountStatus accountStatus = AccountStatus.valueOf("selected string here");

Then in my DAO (using Spring JdbcTemplate) I query my database using the selected values:

String SQL = "SELECT * FROM TABLE_A WHERE column = \'" + accountStatus.name() + "\'";

jdbcTemplate.query(SQL, new MyMapper());

Since I'm validating each user selected checkbox by using AccountStatus.valueOf(...), is this way of doing safe from SQL injection?

karim
  • 149
  • 1
  • 3
  • 15
  • 2
    Why don't you just use parameterized queries? – cbr Jan 09 '17 at 16:00
  • My SQL query is more complicated, i just wrote a simple example. So i have to dynamically generate the SQL query depending on user entered values. – karim Jan 09 '17 at 16:03
  • 1
    So you can still parameterize. – OldProgrammer Jan 09 '17 at 16:06
  • I don't think i have to parametrize because I'm using enum values but I'm not sure. And it's a complicated search engine done like this if it's safe I think it's not necessary to modify it. – karim Jan 09 '17 at 16:19

2 Answers2

1

You can also use http://commons.apache.org/proper/commons-lang/javadocs/api-3.1/org/apache/commons/lang3/EnumUtils.html

This library contains many useful util classes

TypeEnum strTypeEnum = null;

// check if string makes valid enum
if( EnumUtils.isValidEnum(TypeEnum.class, str) ){
    strTypeEnum = TypeEnum.valueOf(str);
}
Noman Khan
  • 920
  • 5
  • 12
1

You don't have any danger of somebody injecting arbitrary SQL for how you're showing this enum value getting set. An attacker could send an invalid enum name but valueOf would throw an IllegalArgumentException when it couldn't match it to a valid value.

If there was some reason a valid enum value shouldn't be entered (for instance, a particular role doesn't have privileges to look up entries with a DISABLED value) then in the absence of other server-side validation the attacker could change the entry to that valid-but-not-permitted value. So that would be a possible attack, which you could remediate by adding more validation (in my example, checking that the enum value is permitted for the user's roles).

It would improve the legibility of this SQL to rewrite it to use parameters (preferably named parameters). Also this will keep showing up in every code review, static code analysis, and code audit, and I would be annoyed to have to keep answering questions about it. But I understand wanting to avoid touching something complex that is working.

Community
  • 1
  • 1
Nathan Hughes
  • 94,330
  • 19
  • 181
  • 276