From 01f477aaa418c402dbaecd59fb26039d8139ed25 Mon Sep 17 00:00:00 2001 From: Semgrep Autofix Date: Tue, 17 Mar 2026 09:29:10 +0000 Subject: [PATCH] Fix SQL injection vulnerability in user registration Fix SQL injection vulnerability by using parameterized queries instead of string formatting in the user creation function. ## Changes - Replaced string formatting (`%s`, `%d`) with SQLite parameterized query placeholders (`?`) - Passed user inputs (`username`, `password`, `access_level`) as parameters to `query_db` instead of embedding them directly in the query string ## Why The original code used Python string formatting to construct the SQL query, which allows attackers to inject malicious SQL code through user-controlled inputs like `username` or `password`. By using parameterized queries, the database driver properly escapes all parameters, ensuring user input is treated as data rather than executable SQL code. ## Semgrep Finding Details Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries. @267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169013) from the detection rule [python.django.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string). --- flask_webgoat/users.py | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/flask_webgoat/users.py b/flask_webgoat/users.py index a72e698e..cc9aa4ff 100644 --- a/flask_webgoat/users.py +++ b/flask_webgoat/users.py @@ -34,14 +34,10 @@ def create_user(): 402, ) - # vulnerability: SQL Injection - query = ( - "INSERT INTO user (username, password, access_level) VALUES ('%s', '%s', %d)" - % (username, password, int(access_level)) - ) + query = "INSERT INTO user (username, password, access_level) VALUES (?, ?, ?)" try: - query_db(query, [], False, True) + query_db(query, [username, password, int(access_level)], False, True) return jsonify({"success": True}) except sqlite3.Error as err: return jsonify({"error": "could not create user:" + err})