Remove string concatenation in SQL statements

AusDTO / pe-rds-broker

AWS RDS Service Broker

Apache License 2.0

4 stars 3 forks source link

Remove string concatenation in SQL statements #8

Open tessereth opened 7 years ago

tessereth commented 7 years ago

There probably aren't any SQL injections here. But we should fix it anyway.

tessereth commented 7 years ago

This may not be possible. Most (if not all) of the places that have string concatination won't actually work with placeholder arguments. This card should possibly change to "Make sure all arguments added to an sql query are checked against a good regex first".

aeijdenberg commented 7 years ago

While placeholder arguments won't work in all cases, there are often alternatives for identifiers, such as https://godoc.org/github.com/lib/pq#QuoteIdentifier for Postgres. Assigning to self to fix.