Swift: Improve phrasing around robust escape functions.

geoffw0 · geoffw0 · commit e66cd05f9684 · 2024-08-02T13:35:33.000+01:00
diff --git a/swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp b/swift/ql/src/queries/Security/CWE-089/SqlInjection.qhelp
@@ -12,7 +12,7 @@ If a database query (such as a SQL query) is built from user-provided data witho
 <recommendation>
 
 <p>
-Most database connector libraries offer a way to safely embed untrusted data into a query using query parameters or prepared statements. You should use these features to build queries, rather than string concatenation or similar methods. You can also escape (sanitize) user-controlled strings so that they can be included directly in an SQL command, but this approach is only safe if the chosen escaping function is robust.
+Most database connector libraries offer a way to safely embed untrusted data into a query using query parameters or prepared statements. You should use these features to build queries, rather than string concatenation or similar methods. You can also escape (sanitize) user-controlled strings so that they can be included directly in an SQL command. A library function should be used for escaping, because this approach is only safe if the escaping function is robust against all possible inputs.
 </p>
 
 </recommendation>
