SQL Injection - Hypersonic SQL
- Risk:
High
- Type:
- Active
- CWE:
- CWE-89
- Summary
SQL injection may be possible.
- Solution
Do not trust client side input, even if there is client side validation in place. In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do *not* concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply an 'allow list' of allowed characters, or a 'deny list' of disallowed characters in user input. Apply the principle of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.
Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive
Fake Microsoft Teams installers push Oyster malware via malvertising
EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations
Windows 11 KB5065789 update released with 41 changes and fixes
UNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware
Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More
Microsoft will offer free Windows 10 extended security updates in Europe
Microsoft warns of new XCSSET macOS malware variant targeting Xcode devs
Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware
CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
CVE-2025-32463 Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
CVE-2018-8174 Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability
CVE-2024-8068 Citrix Session Recording Improper Privilege Management Vulnerability
CVE-2025-59689 Libraesva Email Security Gateway Command Injection Vulnerability
CVE-2013-3893 Microsoft Internet Explorer Resource Management Errors Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
CWE-1434 Insecure Setting of Generative AI/ML Model Inference Parameters
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
HighCWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
Free online web security scanner