rspec/rules/S1493/cobol/rule.adoc

It is a bad practice to use Dynamic SQL. It differs from static embedded SQL in that part or all of the actual SQL commands may be stored in a host variable that is built on the fly during execution of the program. In the extreme case, the SQL commands are generated in their entirety by the application program at run time. While dynamic SQL is more flexible than static embedded SQL, it does require additional overhead and is much more difficult to understand and to maintain.


Moreover, dynamic SQL may expose the application to SQL injection vulnerabilities.


This rule raises an issue when ``++PREPARE++`` or ``++EXECUTE IMMEDIATE++`` is used.

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
EXEC SQL PREPARE SEL INTO :SQLDA FROM :STMTBUF END-EXEC.
----

== Compliant Solution

[source,cobol]
----
EXEC SQL SELECT * FROM tableName END-EXEC.
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure dynamic SQL is required here.


endif::env-github,rspecator-view[]
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`It is a bad practice to use Dynamic SQL. It differs from static embedded SQL in that part or all of the actual SQL commands may be stored in a host variable that is built on the fly during execution of the program. In the extreme case, the SQL commands are generated in their entirety by the application program at run time. While dynamic SQL is more flexible than static embedded SQL, it does require additional overhead and is much more difficult to understand and to maintain.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`Moreover, dynamic SQL may expose the application to SQL injection vulnerabilities.`

Force linebreaks 2021-02-02 15:02:10 +01:00
make in-line code blocks verbatim 2021-01-27 13:42:22 +01:00			This rule raises an issue when ``++PREPARE++`` or ``++EXECUTE IMMEDIATE++`` is used.
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`
Add rules 1000-1999 2020-06-30 12:47:33 +02:00
			`----`
			`EXEC SQL PREPARE SEL INTO :SQLDA FROM :STMTBUF END-EXEC.`
			`----`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,cobol]`
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`----`
			`EXEC SQL SELECT * FROM tableName END-EXEC.`
			`----`

Add rules 1000-1999 2020-06-30 12:47:33 +02:00			`include::../see.adoc[]`
Make sure that includes are always surrounded by empty lines (#2270) When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again. 2023-06-22 10:38:01 +02:00
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure dynamic SQL is required here.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`endif::env-github,rspecator-view[]`