PHP Scanner does not pull SQL Injection Report

  • ALM used Bitbucket Cloud
  • CI system used Bitbucket Pipelines
  • Scanner command :
    Using pipe: sonarsource/sonarcloud-scan:1.2.0
  • Languages of the repository PHP
    We did not see any SQL Injection Report, only XSS and other reports such as Quality Coverage, Bugs, Code Smells etc., are pulled up. Is there any different pipe to be used to pull the SQL Injection reports.

SQL injection issues are detected in the same way as the others. There’s nothing special to do.
Why do you expect such issues to be found in your project?
Do you know of a particular SQL injection issue which should be raised in your project?

We were able to see the results of the SQLInjection in another tool which were valid.
The sonarcloud scan was done on a legacy PHP one.
The issue which we were looking in the report was sql statements having appended variables.

The fact that you concatenate variables to a SQL query doesn’t mean that there’s a SQL injection vulnerability. It’s more complex than that and we spend a lot of efforts to avoid false positives.

function sql_injection($c) {
    $id = $_GET['id'];
    mysqli_query($c, 'select * from t1 where id=' . $id); // vulnerability

function safe($c) {
    $id = 42;
    mysqli_query($c, 'select * from t1 where id=' . $id); // no vulnerability

If you really believe that SonarCloud should raise an issue in your project, can please share your code?

1 Like

Here are some queries:

“SELECT distinct user_id, company_id FROM user where site_id = " . $context[‘site_id’] . " and user_email = '” . $context[‘email_address’] . “’”;

“SELECT action_value, action_name FROM admin_action where affiliate_status=”. $status ." and admin_function = " .$admin_function;

Thank you.
However, it’s still not possible to say whether this code is vulnerable.
What’s inside $context when executing the first query?
If sonarcloud can tell that it contains user-controlled data, then it raises an issue: please see for yourself.

We try to track data flow quite deep but there are cases where we fail to track user-controlled data: that’s what we call a false negative. If we can see your code (not just the line where the query is run), we can try to see whether an issue should indeed be raised and we can try to improve our analyzer.

Hi Pierre-Yves Nicolas,

We have similar requirement, please describe us how the sonarqube works from the attachment.
also, please explain us how to find out these type of errors in sonarqube portal (localhost:9000).


Hi @pamuna,

Sorry, I don’t understand your request.
Please open a new thread with a clear question.