Reduce false positive by ending at an operator for issue #20

guillaumeaubert / Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection

PerlCritic policy that attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

Other

6 stars 8 forks source link

Reduce false positive by ending at an operator for issue #20 #21

Open cashlo opened 6 years ago

cashlo commented 6 years ago

This reduce false positive like

"update" eq $foo; $foo eq "update" && $bar; $foo ne "select" || $bar;

coveralls commented 6 years ago

Coverage increased (+0.1%) to 97.203% when pulling 12ef1b87da3b0d046d4ca60b3ad4c9e3e0549238 on cashlo:master into 13fa7f035842886ac80ceea1e3904398e7771e9b on guillaumeaubert:master.

cashlo commented 6 years ago

I was going to use qw{ . .= , => } as the list of operators because of usage like my $sql = sprintf "SELECT %s FROM %s" => $column, $table; but decided to align with current behaviour.

oalders commented 3 years ago

This breaks a couple of tests, which apparently pass under 5.10 on Travis.

#   Failed test 'ValuesAndExpressions::PreventSQLInjection - line 283 - Partial use of quote() and quote_identifier().'
#   at t/30-policy.t line 22.

#   Failed test 'ValuesAndExpressions::PreventSQLInjection - line 402 - Custom quoting method, ensure that defaults are disabled.'
#   at t/30-policy.t line 22.
# Expected 1 violations, got 0.