Code-motion for API migration: Fixing SQL injection vulnerabilities in Java

Refactoring often requires the reordering of code fragments; such is the case when migrating from one API to another. Performing such reordering manually is complex and error-prone. A specific example in the security domain involves database query execution, in which some of the parameters come from untrusted sources. In Java, the Statement API provides opportunities for SQL injection attacks. The recommended remedy is to replace it with the secure Prepared-Statement API; however, that sometimes requires changing the order in which the query is built. We present an algorithm that performs this migration, moving code as necessary to preserve functionality while changing the structure of the original code as little as possible. © 2011 ACM.