SQL Injection flagged when concatenating strings
See original GitHub issueDescribe the bug
It seems that when concatenating strings in a cur.execute()
call, it flags up sql injection possibilities, even though all the string arguments are being passed into the execute() call. So, this looks safe to me.
Reproduction steps
See the # noqa: S608
lines in this file: https://github.com/aio-libs/aiohttp-session/blob/master/examples/postgres_storage.py#L68-L72
Expected behavior
No errors from concatenating string literals.
Bandit version
1.7.0 (Default)
Python version
3.7
Additional context
No response
Issue Analytics
- State:
- Created 2 years ago
- Comments:6
Top Results From Across the Web
Is SQL Injection possible in String Concatenation When all ...
No. Should you change it anyway? Probably. If you are putting variables in an SQL query then you should use prepared queries. They...
Read more >Why is concatenating SQL strings a bad idea? - Stack Overflow
Short answer: building queries by concatenating strings usually allows SQL injection. Imagine that someone tries to create a user with the ...
Read more >How to fix CWE 89 SQL Injection flaws? - Veracode Community
With this design, The SQL Injection CWE 89 flaw will be flagged only on the SQLHelper.executeSqlQuery() and SQLHelper.executeSqlUpdate() and not ...
Read more >Errors flagged on SQL fragments : WI-7531 - YouTrack
WI-18915 Extend future multi-injection features for concatenated strings to ... If I'm using string-building to make an SQL statement, it's often flagged as ......
Read more >SQL Injection not detected when query is a result of joining ...
joining function. This will be properly flagged as security hotspot: public void testSqlInjection_A(String input) { try (Connection conn = ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
No, the use of a variable in the string is a possible vulnerability.
Concatenating string literals is not a vulnerability.
If the program is checking purely for concatenation, then it is wrong, hence why this is a bug report.
Using the initial example provided by @Dreamsorcerer , it appears to have been introduced in the 1.6.3 release. The example passes in 1.6.2. Not quite sure what would have changed, since that mainly appears to have been a documentation release