Possible SQL Injection flaw

feedzai / pdb

PulseDB is a database-mapping software library written in Java, it provides a transparent access and manipulation to a great variety of database implementations. PDB provides a DSL that covers most of SQL functionalities and allows to easily integrate persistence into your projects and modules.

Apache License 2.0

43 stars 29 forks source link

Possible SQL Injection flaw #37

Open bugflux opened 8 years ago

bugflux commented 8 years ago

Hello,

I'd like to understand in which scenarios we think using an object's "toString" is a valid conversion for a constant parameter, because it could lead to SQL Injection:

https://github.com/feedzai/pdb/blob/master/src/main/java/com/feedzai/commons/sql/abstraction/engine/AbstractTranslator.java#L245

rpvilao-gymondo commented 8 years ago

Seems like a valid point... the constant can be used everywhere possible like in where clauses, select columns etc. So it should be escaped if not already