Home/ Questions/Q 138657
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T07:17:56+00:00

I just stumbled (by accident) on yet another stupid not-sanitized-at-all sql injection flaw in

  • 0

I just stumbled (by accident) on yet another stupid not-sanitized-at-all sql injection flaw in a project I’m working on …and I’m so tired of it.
Do you have any advise on how to eliminate such bad sql statements and enforce prepared statements where ever feasible? Right now I would prefer a solution like

REVOKE DarnInlineDataStatements ON * TO xyz

But since this seems unlikely, are there e.g. static code analysis tools for finding these things (to a certain point of reliability)? Or anything else you would recommend?
edit: The soft-skills approach ‘please don’t use them, there are (usually) better ways’ didn’t seem to work too well in the past. Therefore I would really prefer something that prevents such queries in the first place. Not to deliberately break existing code but for future projects, some ‘there are no such queries’ solution 😉

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. If you are already using static code analysis tools, you could configure it to look for usage of certain methods, say in Java world Connection.createStatement instead of Connection.prepareStatement.

    I think the better approach is to educate the team on ill effects of creating dynamic SQL with concatenation. You must add it to your coding standards document!

    • 0