cwe-89-sql-injection
CWE-89 Improper Neutralization of Special Elements used in an SQL Command
Description
Improper Neutralization of Special Elements used in an SQL Command
Reference: https://cwe.mitre.org/data/definitions/89.html
OWASP Category: A03:2021 – Injection
Vulnerable Pattern
❌ Example 1
public ResponseEntity<String> getCarInformationLevel1(
@RequestParam Map<String, String> queryParams) {
String id = queryParams.get(Constants.ID);
BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
return applicationJdbcTemplate.query(
"select * from cars where id=" + id,
(rs) -> {
if (rs.next()) {
return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
}
return bodyBuilder.body(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
});
}
❌ Example 2
public ResponseEntity<String> getCarInformationLevel2(
@RequestParam Map<String, String> queryParams) {
String id = queryParams.get(Constants.ID);
BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
return applicationJdbcTemplate.query(
"select * from cars where id='" + id + "'",
(rs) -> {
if (rs.next()) {
return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
}
return bodyBuilder.body(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
});
}
Deterministic Fix
✅ Secure Implementation
public ResponseEntity<String> getCarInformationLevel2(
@RequestParam Map<String, String> queryParams) {
String id = queryParams.get(Constants.ID);
BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
return applicationJdbcTemplate.query(
"select * from cars where id='" + id + "'",
(rs) -> {
if (rs.next()) {
return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
}
return bodyBuilder.body(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
});
}
✅ Secure Implementation
public ResponseEntity<String> getCarInformationLevel2(
@RequestParam Map<String, String> queryParams) {
String id = queryParams.get(Constants.ID);
BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
return applicationJdbcTemplate.query(
"select * from cars where id='" + id + "'",
(rs) -> {
if (rs.next()) {
return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
}
return bodyBuilder.body(
ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
});
}
Detection Pattern
Look for these patterns in your codebase:
# Find JdbcTemplate queries with concatenation
grep -rn "jdbcTemplate.query" --include="*.java" | grep -E "\+.*\"|\".*\+"
# Find raw Statement usage
grep -rn "createStatement\(\)" --include="*.java"
Remediation Steps
-
Identify string concatenation in SQL query construction
-
Replace concatenated values with ? placeholders
-
Use PreparedStatement or equivalent parameterized API
-
Bind user input via setString(), setInt(), etc.
-
Validate input types match expected database column types
Key Imports
import java.sql.PreparedStatement;
import org.springframework.jdbc.core.JdbcTemplate;
Verification
After remediation:
-
Re-run SAST scan - CWE-89 should be resolved
-
Test with injection payloads: ' OR '1'='1, 1; DROP TABLE--
-
Verify query still returns expected results
Trigger Examples
Fix CWE-89 vulnerability
Resolve Improper Neutralization of Special Elements used in an SQL Command issue
Secure this Java code against improper neutralization of special elements used in an sql command
SAST reports CWE-89
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | Query params to DB |
| Service | *Service.java | Business logic queries |
| Repository | *Repository.java | Custom queries |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07