Mid Sweden University

SQL injection attacks have been a problem since the early 2000s. Even though the issue is well known today, SQL injection vulnerabilities remain to be one of the most common security flaws. Our study looks at open source-projects written in Java and Python to examine the current state of SQL injection vulnerabilities. We take a deeper look into the vulnerabilities' code patterns and discuss suitable prevention methods.The open-source projects were mined from Github. The projects that contained a connection to a relational database were further analyzed with static analysis to find vulnerabilities. A subset of projects was picked out for deeper analysis of the source code. Among 167,644 Java projects that met the selection criteria, 24,416 were identified to have a connection to a relational database. The corresponding figures for Python were 294,637 and 20,994. Notably, concatenation is more prevalent in Java, whereas prepared statements are favored in Python. Additionally, the analysis revealed that the Python projects tended to have more recent updates and a higher number of contributors compared to the Java projects. Moreover, projects employing both prepared statements and concatenation were observed to be larger in size compared to those using only one of these methods or relying on hardcoded queries. With legacy projects and concatenation being more common in Java, it is suggested that Python projects better follow best practices when it comes to SQL injection. Although indications were found that the overall knowledge of SQL injection has increased since 2019, the use of identifier concatenation still is prevalent.