51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
It is a bad practice to use Dynamic SQL. It differs from static embedded SQL in that part or all of the actual SQL commands may be stored in a host variable that is built on the fly during execution of the program. In the extreme case, the SQL commands are generated in their entirety by the application program at run time. While dynamic SQL is more flexible than static embedded SQL, it does require additional overhead and is much more difficult to understand and to maintain.
|
|
|
|
|
|
Moreover, dynamic SQL may expose the application to SQL injection vulnerabilities.
|
|
|
|
|
|
This rule raises an issue when ``++PREPARE++`` or ``++EXECUTE IMMEDIATE++`` is used.
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
----
|
|
EXEC SQL PREPARE SEL INTO :SQLDA FROM :STMTBUF END-EXEC.
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,cobol]
|
|
----
|
|
EXEC SQL SELECT * FROM tableName END-EXEC.
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Make sure dynamic SQL is required here.
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|