Describe the bug
'Compliant Solution' in the asciidoc of EC72 "Avoid SQL request in loop" suggests using String concatenation of user-supplied values and createStatement for building & executing a SQL query. Both are discouraged, as they are frequent sources of injection vulnerabilities. (Also, the code would not compile - baseQuery and query variables are mixed up.) This lowers acceptance & credibility of the ecoCode rules.
Expected behavior
Provide a 'Compliant Solution' that compiles and promotes secure coding practices.
See e.g. https://www.baeldung.com/java-jdbc-preparedstatement-in-clause section 3.2, "IN Clause With Stream".
(Section 3.3 uses functionality that most SQL connectors don't implement.)
Describe the bug 'Compliant Solution' in the asciidoc of EC72 "Avoid SQL request in loop" suggests using String concatenation of user-supplied values and createStatement for building & executing a SQL query. Both are discouraged, as they are frequent sources of injection vulnerabilities. (Also, the code would not compile - baseQuery and query variables are mixed up.) This lowers acceptance & credibility of the ecoCode rules.
Expected behavior Provide a 'Compliant Solution' that compiles and promotes secure coding practices. See e.g. https://www.baeldung.com/java-jdbc-preparedstatement-in-clause section 3.2, "IN Clause With Stream". (Section 3.3 uses functionality that most SQL connectors don't implement.)
Reference ecocode-rules-specifications/src/main/rules/EC72/java/EC72.asciidoc