Code Room
Code reviewMediumcr-g206
Subject InjectionLevel Mid–Senior~22 minCommon in Security · Databases & SQL interviewsIndustries Software development

Question

Review this Java (JDBC) method that builds a dynamic listing query.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewjava
List<Row> list(Connection c, String status, String orderBy, int limit) throws SQLException {    String sql = "SELECT id, title FROM issues WHERE status = ? "               + "ORDER BY " + orderBy + " LIMIT " + limit;    PreparedStatement ps = c.prepareStatement(sql);    ps.setString(1, status);    ResultSet rs = ps.executeQuery();    List<Row> out = new ArrayList<>();    while (rs.next()) out.add(new Row(rs.getLong(1), rs.getString(2)));    return out;}
Run or narrate your approach, then ask the coach.