Amazon SimpleDB queries should not be constructed using unvalidated external data.
Avoid directly performing string concatenation to create SQL queries, as this can lead to injection attacks.
String table = request.getParameter("model");
String query = "SELECT * FROM " + table + " WHERE id = '" + id + "'"; // Susceptible to injection!
SelectResult result = conn.select(new SelectRequest(query));
In security, allow-lists are more preferable to deny-lists, due to how specific they can be. If possible, narrow down to the absolute minimum the behaviors that are desired within a query, and use external input only to select the behavior required for the specific purpose.
Make sure to sanitize data from files or requests by first passing it through allow-lists.
if (!allowlist.contains(table)) return;
// ...
String query = String.format("SELECT * from %s where id = '%s'", table, id);