Synopsis

(Required) The validity of values received from external sources shall be checked.

Enabled by default

Yes

Severity/Certainty

Medium/Medium

Full description

User input is improperly used in an SQL statement.

Coding standards

Code examples

The following code example fails the check and will give a warning:

#include <string.h>

void example(void * conn) {
  char *name;
  char *sql;
  name = gets(name);
  strcpy(sql, "SELECT age FROM people WHERE name = \"");
  strcat(sql, name);
  strcat(sql, "\"");
  sqlite3_exec(conn, sql);
}

The following code example passes the check and will not give a warning about this issue:

#include <string.h>

void example(void * conn, void * stmt) {
  char *name;
  name = gets(name);
  sqlite3_bind_text(stmt, "A", name);
  sqlite3_exec(conn, "SELECT age FROM people WHERE name = $A");
}