Bug 405920 requested an audit of SQL statements in Places to prevent SQL injection. Because such analysis should be done on regular basis, it is favorable to create an automated tool and extend this audit to the whole code base. The tool should find all calls to following methods: mozIStorageStatement::initialize mozIStorageConnection::createStatement mozIStorageConnection::executeSimpleSQL The SQL parameter should be checked, whether it is a literal constant (which may include macro fragments) or a variable or result of a function call. It should be possible to use some comments in code that would notify the parser that the next occurrence is verified dynamically built SQL statement to avoid false alarms. It would be great if all the parsed statements were stored in a file. This would allow deeper automated testing: - check that all queries can be prepared after database conversion, - check that SELECT use indexes in the query plan on all tables.
Bug 405920 implemented simple perl based script that runs on all platforms and does not require any setup. This bug is not needed now.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.