About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Publication
ICSE 2011
Workshop paper
Code-motion for API migration: Fixing SQL injection vulnerabilities in Java
Abstract
Refactoring often requires the reordering of code fragments; such is the case when migrating from one API to another. Performing such reordering manually is complex and error-prone. A specific example in the security domain involves database query execution, in which some of the parameters come from untrusted sources. In Java, the Statement API provides opportunities for SQL injection attacks. The recommended remedy is to replace it with the secure Prepared-Statement API; however, that sometimes requires changing the order in which the query is built. We present an algorithm that performs this migration, moving code as necessary to preserve functionality while changing the structure of the original code as little as possible. © 2011 ACM.