Closed Bug 422145 Opened 16 years ago Closed 16 years ago

Static analysis of SQL statements

Categories

(Developer Infrastructure :: Source Code Analysis, defect)

Product:
Developer Infrastructure
Component:
Source Code Analysis
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: ondrej, Assigned: taras.mozilla)

References

Details

Bug 405920 requested an audit of SQL statements in Places to prevent SQL injection. Because such analysis should be done on regular basis, it is favorable to create an automated tool and extend this audit to the whole code base.

The tool should find all calls to following methods:

mozIStorageStatement::initialize
mozIStorageConnection::createStatement
mozIStorageConnection::executeSimpleSQL

The SQL parameter should be checked, whether it is a literal constant (which may include macro fragments) or a variable or result of a function call. It should be possible to use some comments in code that would notify the parser that the next occurrence is verified dynamically built SQL statement to avoid false alarms.

It would be great if all the parsed statements were stored in a file. This would allow deeper automated testing:
- check that all queries can be prepared after database conversion,
- check that SELECT use indexes in the query plan on all tables.
Bug 405920 implemented simple perl based script that runs on all platforms and does not require any setup. This bug is not needed now.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Product: Core → Firefox Build System
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.