Amazon SimpleDB queries should not be constructed using unvalidated external data.
Avoid directly performing string concatenation to create SQL queries, as this can lead to injection attacks.
String table = request.getParameter("model"); String query = "SELECT * FROM " + table + " WHERE id = '" + id + "'"; // Susceptible to injection! SelectResult result = conn.select(new SelectRequest(query));
In security, allow-lists are more preferable to deny-lists, due to how specific they can be. If possible, narrow down to the absolute minimum the behaviors that are desired within a query, and use external input only to select the behavior required for the specific purpose.
Make sure to sanitize data from files or requests by first passing it through allow-lists.
if (!allowlist.contains(table)) return; // ... String query = String.format("SELECT * from %s where id = '%s'", table, id);