Home
Dynamically executing code is security-sensitive
Rule description
- Dynamically executing code is security-sensitive
Non-compliant Code Example
CREATE OR REPLACE PROCEDURE GetCustomerPhoneNumber (customerId IN INTEGER)
IS
oracleQuery VARCHAR2(100);
customerPhoneNumber NUMBER;
BEGIN
oracleQuery := q'{SELECT PhoneNumber FROM Customers }'
|| q'{WHERE id = '}'
|| customerId
|| q'{'}';
EXECUTE IMMEDIATE oracleQuery INTO customerPhoneNumber; --Non Compliant code
END;
Compliant Code Example
CREATE OR REPLACE PROCEDURE GetCustomerPhoneNumber (customerId IN INTEGER)
IS
oracleQuery VARCHAR2(100);
customerPhoneNumber NUMBER;
BEGIN
oracleQuery := q'{BEGIN SELECT PhoneNumber FROM Customers WHERE id = :customerId END; }';
EXECUTE IMMEDIATE oracleQuery INTO customerPhoneNumber; --Compliant code
END;