java - Appscan source edition - SQL Injection -
i using appscan source edition java secure coding. reporting sql injection in application. issue generating query dynamically in code cannot use prepared statement. instead have e esapi.encoder().encodeforsql(new oraclecodec(), query). appscan not consider mitigate sql injection issue.
final string s = "select name users id = " + esapi.encoder().encodeforsql(new oraclecodec(), userid); statement = connection.preparestatement(s); this code additionally not work esapi.encoder()
how can resolve issue?
what should is
final string s = "select name users id = ?" statement = connection.preparestatement(s); statement.setstring(1, userid); 
Comments
Post a Comment