CWE-566
Authorization Bypass Through User-Controlled SQL Primary Key
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
Mitigation
Phase: Implementation
Description:
- Assume all input is malicious. Use a standard input validation mechanism to validate all input for length, type, syntax, and business rules before accepting the data. Use an "accept known good" validation strategy.
Mitigation
Phase: Implementation
Description:
- Use a parameterized query AND make sure that the accepted values conform to the business rules. Construct your SQL statement accordingly.
No CAPEC attack patterns related to this CWE.