top | item 22028097

(no title)

rgharris | 6 years ago

I agree, end-to-end tests have been really valuable for catching SQL issues in my experience.

> Identify unsafe queries that could potentially lead to SQL injections

This feature seems like a perfect use case for static analysis and would be a great tool in addition to automated tests.

discuss

namibj|6 years ago

Just don't use string mangling to combine parameters and queries. The most is switch/case in a loop or something like it doing state machine execution to combine fixed strings. And that only because one does not accidentally build something general enough to allow for SQL injection with such harsh restrictions.

sverhagen|6 years ago

And static analysis is not limited to build time so it can provide value even earlier.

pletnes|6 years ago

Or later, if your program grows from a small hack to an important application.