At the development team meeting someone suggests building database queries dynamically from form fields on the login page. How do you respond? What do you use to support your position? Please include a reference.

 

Solution ::

There are many cases or it is the only option to build database queries dynamically . But one should not build database queries dynamically. I would like to suggest not to use it because if one uses dynamic queries, it becomes easy for attacker to do SQL injection because there is no proper control and sanitization of the parameters so it would lead to low security and also anyone could change the data. Also using dynamic query itself is very complex in nature and no one can tell how the queries will be executed and what if database it will form and lead to many difficulties for the team to understand. I would suggest to use static query and predefined form structure which would not be complex as compared to dynamic query because building database with dynamic query also impact on performance of the database and also there is no option to upgrade your performance.