We have a Java web application that was vulnerable to blind SQL injection attacks. Our developers fixed the code by using the replaceAll()
function to convert single quotes to two single quotes. I am trying to understand whether the following lines of code would still be vulnerable to SQL injection attacks?
String userInput1 = in.getuserInput1();
check = (String)form.get("userInput1");
String userInput2 = (String)form.get("userInput1_express");
userInput2 = (userInput2 == null) ? "=" : userInput2.replaceAll("'", "''");
if (userInput1 != null && !check.trim().equals("")) {
iQueryObject.addQuery("in.userInput1", userInput1.replaceAll("'", "''"), userInput2, null);
sbSelect.append("AND WWXX_YYYYMM " + userInput2 + " '" + userInput1.replaceAll("'", "''") + "' ");
}
So far, we have tried to scan the updated application using BurpSuite and sqlmap, both have been unable to identify any SQL injection issues.
The back-end database being used is Oracle.