It is a bad practice to use Dynamic SQL. It differs from static embedded SQL in that part or all of the actual SQL commands may be stored in a host
variable that is built on the fly during execution of the program. In the extreme case, the SQL commands are generated in their entirety by the
application program at run time. While dynamic SQL is more flexible than static embedded SQL, it does require additional overhead and is much more
difficult to understand and to maintain.
Moreover, dynamic SQL may expose the application to SQL injection vulnerabilities.
This rule raises an issue when PREPARE or EXECUTE IMMEDIATE is used.
Ask Yourself Whether
- The SQL statement can be written without dynamic clauses.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
Do not use dynamic clauses in "SELECT" statements.
Sensitive Code Example
EXEC SQL PREPARE SEL INTO :SQLDA FROM :STMTBUF END-EXEC.
Compliant Solution
EXEC SQL SELECT * FROM tableName END-EXEC.
See
