False positive with commands that cannot execute SQL

guillaumeaubert / Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection

PerlCritic policy that attempts to detect the most common sources of SQL injection in manually crafted SQL statements, by detecting the use of variables inside interpolated strings that look like SQL statements.

https://metacpan.org/pod/Perl::Critic::Policy::ValuesAndExpressions::PreventSQLInjection

Other

6 stars 8 forks source link

False positive with commands that cannot execute SQL #24

Open nferraz opened 4 years ago

nferraz commented 4 years ago

This policy identifies the following string (used in a die) as potential target for SQL injections:

die "Select returned: $error";

Same thing with other functions that are commonly used for logging and error handling:

INFO "Delete record $id";
warn "Update returned: $error";
croak "Insert returned: $error";

Here's a patch to whitelist functions that are considered "safe": https://github.com/guillaumeaubert/Perl-Critic-Policy-ValuesAndExpressions-PreventSQLInjection/pull/23