1

The following section of my code is raising concern in "Second-Order SQL Injection". 

private String function1 (String var1) {

String sql = "SELECT field1 FROM table1 WHERE field2 = ?";

PreparedStatement ps = null;
ResultSet resultSet = null;
String result = "";

try{
    ps = conn.prepareStatement(sql);
    ps.setString(1, var1);
    resultSet = ps.executeQuery();

    if(resultSet.next()){
        result = rs.getString("fldDesc");
    }
}catch(SQLException e){
    e.printStackTrace();
}

}

However, as I know the preparedStatement should be safe against the 2nd Order SQL Injection, due to the separation of query and data.

Can I know why does it would raise a concern against it?

user3007096
  • 21
  • 2
  • 1
    I am not familiar with "2nd Order" SQL injection, but your code should not be injectable AFAIK. The thing is, if someone tries to pass in a `field2` values which has quotes, Java will escape those quotes so that they cannot be used literally. If you give an example of what you have in mind, perhaps more can be said. – Tim Biegeleisen Mar 13 '18 at 01:36
  • It doesn't. The notorious ["second order injection" is a hoax](https://phpdelusions.net/top#second_order_sql_injection), a scary tale for children. your code is safe – Your Common Sense Mar 13 '18 at 01:43
  • @TimBiegeleisen, the SQL Server JDBC driver drivers I've seen don't actually escape quotes but rather pass the parameter values separately over the TDS protocol in native format separately from the statement. That is why there is no injection risk with prepared statements. – Dan Guzman Mar 13 '18 at 01:49
  • @DanGuzman I didn't know this, thanks for explaining. – Tim Biegeleisen Mar 13 '18 at 01:50
  • Hi all, Thanks a lot for the feedback. I will check with the people on the reason they raise this in the 2nd Order SQL Injection. – user3007096 Mar 13 '18 at 03:20
  • Yes, whomever is concerned must present an example input that would allow an attacker to do something bad. Second order SQL injection is where the application stores some data, then later uses that data in another SQL statement. Some developers believe (mistakenly) that once data has been stored in a database, it's safe to use that data in another SQL query. Treat data as untrusted even if it has been in your database. Just use parameters and you'll be okay. – Bill Karwin Mar 13 '18 at 15:00
  • 1
    Hi All, thanks for the feedback. The person explained to me that it put wrongly under this category. – user3007096 Mar 15 '18 at 16:01
  • Hi All, if the prepared statement above being raise in Stored XSS. It is due to the result that being selected? – user3007096 Mar 19 '18 at 02:58

0 Answers0