SQL injection remediation in existing project

Question

This is my first question in this forum, We are supporting Spring & Hibernate framework applications, recently scan happened in existing code (more than 6 years of code) as part of security process. Identified SQL injection vulnerability in those applications around 5. There are many places this happend like below

StringBuffer sb = new StringBuffer();
FormBean searchcriteria= new FormBean();

sb.append(" SELECT * FROM VW_VIEW1 WHERE COLUMN1 IN (")
.append(" SELECT ID FROM VW_VIEW2 WHERE (")
.append(" COLUMN1 =:NAME OR COLUMN2 IN (SELECT COLUMN2 FROM TABLE WHERE COLUMN3 = :NAME ) AND COLUMN2 IS NOT NULL)))");

if (searchcriteria !=null)
{
 **fillCriteria (criteria,sb);**
}

sb.append(" order by ").append(csort).append(" ").append(csorty);
Query query=session.createSQLQuery(sb.toString()).setParameter("NAME" "MYNAME");
return query.list();

Here problem fillCriteria has many where clause columns based on user selection this works sample code of the method shows below

 private void fillCriteria(FORMBEAN criteria,StringBuffer sb)

{
Helper.addCriterionClause(sb, " and lower(Table_ID) like ",criteria.ID);
Helper.addCriterionClause(sb, " and lower(Table_ID1) like ",criteria.ID1);
Helper.addCriterionClause(sb, " and lower(Table_ID2) like ",criteria.ID2);
Helper.addCriterionClause(sb, " and lower(Table_ID3) like ",criteria.ID3);
Helper.addCriterionClause(sb, " and lower(Table_ID4) like ",criteria.ID4);
Helper.addCriterionClause(sb, " and lower(Table_ID5) like ",criteria.ID5);
Helper.addCriterionClause(sb, " and lower(Table_ID6) like ",criteria.ID6);
Helper.addCriterionClause(sb, " and lower(Table_ID7) like ",criteria.ID7);
}

like these 20 - 30 clauses are there. This is one method in class, I have tens of methods in each class, tens of class in each app. I dont want to redefined all these methods now as i dont have time and resource.

Can you please suggest to handle these types of issues to remediate SQL injection in one places instead of changing all code. with Minimal code change how can i handle this

Your response is greatly appreciated

You can still keep the criteria method but you’ll have to switch to stored procedure instead of building a query string — Davide Vitali, Mar 22 '19 at 06:58
Thanks Davide for your reply, can you please send some sample code how to call stored procedure in this scenario. — cns, Mar 23 '19 at 07:31
[this answer](https://stackoverflow.com/questions/1260952/how-to-execute-a-stored-procedure-within-c-sharp-program) to programmatically execute them within your methods. — Davide Vitali, Mar 23 '19 at 07:58

SQL injection remediation in existing project

0 Answers0