PMD’s default rulesets serve as a solid foundation for developing new rulesets to find common insecure coding practices. Initial rules should target code that’s high-risk and easily exploitable. Dynamically building SQL statements with user-controllable input is a good example of high-risk code commonly vulnerable to SQL injection. Rule implementations should be adaptable to new or previously unseen custom code. This is an important feature, as web applications differ in how they implement common functionality, such as authentication, authorization, and data access.

What follows is a walkthrough of a web application security rule that flags symptom code commonly vulnerable to SQL injection—SQL select statements concatenated with user-controllable input. The DynSqlSelectStmts class implements the rule logic and is located in the net.sourceforge.pmd.rules.web.security package. This implementation doesn’t cover every potential instance of dynamic SQL. It serves only as a guide for writing future security rules that target a variety of symptom code.