CME-1305

SQL Injection Prevention (Parameterized Queries)

Harden Application High Confidence

Description

Application exclusively uses parameterized queries or prepared statements for all database operations. User input is never concatenated into SQL strings. ORMs with parameterized backends qualify. Prevents attackers from injecting SQL syntax to read, modify, or delete database contents.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H SQL injection payloads treated as data, not code; parameterization enforced
Confidentiality (C) H L Cannot extract data via UNION/blind SQL injection
Integrity (I) H L Cannot modify or delete database records via injection

CWE Relationships

CWE-89

Verification

Verify all database queries use parameterized statements; no string formatting for SQL

$ grep -rn 'execute.*%s\|execute.*format\|execute.*f"' <app_source>/ | grep -v 'execute.*,.*params'
# Expected: No string-formatted SQL queries
Platform: any
← CME-1304: SSRF Prevention (Outbound Request Allowlist) CME-1306: XSS Prevention (Context-Aware Output Encoding) →