Vulnerable Code
Because Prepared Statements (?) cannot parameterize column names, developers often fall back to dangerous string concatenation when implementing sorting features.
// Java JDBC Example String sortColumn = request.getParameter("sort"); // Vulnerable: User input is appended directly after the ORDER BY clause String query = "SELECT id, name, email FROM users ORDER BY " + sortColumn; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(query);
Where To Look For The Vulnerability
Look for any feature that alters the order of the data presented on the screen.