Swift: Qhelp.

Author: geoffw0

swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp

@@ -4,29 +4,36 @@
 <qhelp>
 <overview>
 
-<p>TODO</p>
+<p>
+If a database query (such as an SQL query) is built from user-provided data without sufficient sanitization, a user may be able to run malicious database queries.
+</p>
 
 </overview>
 <recommendation>
 
-<p>TODO</p>
+<p>
+Most database connector libraries offer a way of safely embedding untrusted data into a query by means of query parameters or prepared statements. Use these features rather than building queries by string concatenation.
+</p>
 
 </recommendation>
 <example>
 
-<p>TODO</p>
+<p>In the following example, an SQL query is prepared using string interpolation to directly include a user-controlled value <code>userControlledString</code> in the query. An attacker could craft the part they control to change the overall meaning of the SQL query.
+</p>
 
 <sample src="SqlInjectionBad.swift" />
 
-<p>TODO</p>
+<p>A better way to do this is with a prepared statement, binding <code>userControlledString</code> to a parameter of that statement. An attacker who controls the contents of that parameter cannot 'break out' and change the overall meaning of the SQL query.
+</p>
 
 <sample src="SqlInjectionGood.swift" />
 
 </example>
 <references>
 
 <li>
-  TODO
+	<li>Wikipedia: <a href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection</a>.</li>
+	<li>OWASP: <a href="https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html">SQL Injection Prevention Cheat Sheet</a>.</li>
 </li>
 
 </references>

swift/ql/src/queries/Security/CWE-089/SqlInjectionBad.swift

@@ -1,2 +1,3 @@
+let unsafeQuery = "SELECT * FROM users WHERE username='\(userControlledString)'" // BAD
 
-TODO
+try db.execute(unsafeQuery)

swift/ql/src/queries/Security/CWE-089/SqlInjectionGood.swift

@@ -1,2 +1,4 @@
+let safeQuery = "SELECT * FROM users WHERE username=?"
 
-TODO
+let stmt = try db.prepare(safeQuery, userControlledString) // GOOD
+try stmt2.run()