Code Room
Code reviewHardcr-g247
Subject Sql injectionLevel Senior–Staff~35 minCommon in Security · Databases & SQL interviewsIndustries Software development

Question

Review this Java reporting code. Assume `createUser` stores the display name via a parameterized insert.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewjava
// Stored earlier (safe, parameterized)://   INSERT INTO users(id, display_name) VALUES (?, ?) public List<Row> auditByUser(long userId, Connection conn) throws SQLException {    PreparedStatement p = conn.prepareStatement("SELECT display_name FROM users WHERE id=?");    p.setLong(1, userId);    ResultSet rs = p.executeQuery();    rs.next();    String name = rs.getString("display_name");    String sql = "SELECT * FROM audit_log WHERE actor = '" + name + "' ORDER BY ts DESC";    return runRaw(conn, sql);  // executes the string directly}
Run or narrate your approach, then ask the coach.