hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-09 12:40:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
071517c74bb2dfe0ea96978a46bb3fa4e09d2a84
codeql/java/ql/src/Security/CWE/CWE-089/SqlTainted.java
Pavel Avgustinov 846c9d5860 Migrate Java code to separate QL repo.
2018-08-30 10:48:05 +01:00

17 lines
693 B
Java
Raw Blame History

{
// BAD: the category might have SQL special characters in it
String category = System.getenv("ITEM_CATEGORY");
Statement statement = connection.createStatement();
String query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ category + "' ORDER BY PRICE";
ResultSet results = statement.executeQuery(query1);
}
{
// GOOD: use a prepared query
String category = System.getenv("ITEM_CATEGORY");
String query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY=? ORDER BY PRICE";
PreparedStatement statement = connection.prepareStatement(query2);
statement.setString(1, category);
ResultSet results = statement.executeQuery();
}
Reference in New Issue View Git Blame Copy Permalink