Fix SQL Injection (Legacy & Modern) in Vert.x

Vert.x reactive patterns don't grant immunity to SQLi. Whether you're using the legacy JDBC client or the high-performance Reactive SQL Client, string concatenation in queries is a critical vulnerability. Attackers can break out of the data context and execute arbitrary SQL commands. This guide covers the transition from 'broken' to 'bulletproof' using prepared statements and bind variables.

The Vulnerable Pattern

String id = routingContext.request().getParam("id");
// VULNERABLE: Direct string concatenation
client.query(“SELECT * FROM users WHERE id = ’” + id + ”’”)
.execute(ar -> {
// Result handling
});

The Secure Implementation

The fix relies on the separation of the SQL command from the user-provided data. By using 'preparedQuery' in modern Vert.x or 'queryWithParams' in legacy versions, you utilize the database driver's parameter binding mechanism. In the modern client, placeholders like '$1' or '?' are used, and values are passed via a 'Tuple'. This ensures the database treats the input strictly as a literal value, neutralizing any malicious SQL syntax within the input string. Never use 'query()' with dynamic string building for user-controlled data.

// MODERN (Reactive SQL Client): Use preparedQuery and Tuple
String id = routingContext.request().getParam("id");
client.preparedQuery("SELECT * FROM users WHERE id = $1")
  .execute(Tuple.of(id), ar -> {
    if (ar.succeeded()) {
      // Process safe RowSet
    }
  });
// LEGACY (JDBC Client): Use queryWithParams and JsonArray
jdbcClient.queryWithParams(“SELECT * FROM users WHERE id = ?”,
new JsonArray().add(id),
res -> {
// Process safe ResultSet
});