lint to protect against SQL injection (package:sqflite)

dart-lang / linter

Linter for Dart.

https://dart.dev/tools/linter-rules

BSD 3-Clause "New" or "Revised" License

627 stars 172 forks source link

lint to protect against SQL injection (package:sqflite) #2086

Open pq opened 4 years ago

pq commented 4 years ago

Ensure that SQL query strings are always constant, or use whitelisted string-interpolation methods.

Specifically guard against unsafe use of package:sqflite.

(Placeholder. Details to follow.)

mehmetf commented 4 years ago

I am a bit skeptical about this living in the linter itself.

We want library specific lints but I believe these should live in the library itself. The library owner would want some level of control over these lints.

bwilkerson commented 4 years ago

I agree that such a lint would be best bundled with the package with which it is associated.

Unfortunately, there's more friction involved when choosing that path. Enough so that we usually end up not implementing such lints. (I'm happy to have discuss the reasons with you if you're interested.)

However, being extremely pragmatic, we could define the rule in the linter and then work with the package author move it to the package at some future point.