0

I am currently working on refactoring existing code as per veracode standards. I have a piece of code where Order By clause is dynamically created based on user input. In veracode it suggest to use Named Parameter but that is not possible. Below is code base. Please help with possible solution. 

orderClauses.append("ORDER BY ");
orderClauses.append(report.getSortColumn1()));
orderClauses.append(" ");
orderClauses.append(report.getSortOrder1());
Meghna Gajeshwar
  • 1
  • 1
    Well, don't append the user-submitted values to your query. Use the user input as keys to a map of known valid values, and append these known valid values to your query. – JB Nizet Dec 27 '18 at 08:50
  • @JBNizet Not working for me. It is still showing as sql injection issue in veracode. – Meghna Gajeshwar Dec 28 '18 at 05:39
  • Then the tool did its job by showing you a potential issue, and now that you've ficed the actual issue, it shows you a false positive. So ignore this false positive. It's just a tool – JB Nizet Dec 28 '18 at 06:58

1 Answers1

0

Change

orderClauses.append(report.getSortColumn1()));

to something like 

...
Set<String> columnsSet; 
// fill columnsSet for your query
...
String col = report.getSortColumn1();
col = columnsSet.has(col) ? col : "";
...
orderClauses.append(col);
...
//etc

Or write cool classes for reports with reflection, annotations ect.

Crutch Master
  • 189
  • 5