Security Concerns

Let’s look at how to address security concerns in code reviews. We’ll show you a simple example and explain why the feedback matters.

The Scenario

A developer has implemented a login function that takes user input directly. The code works but could be vulnerable to SQL injection.

authService.ts


// Before
async function login(username: string, password: string) {
  const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`
  const result = await db.query(query)
  return result.rows[0]
}

PR Comment

Choose the comment that you think is the most constructive and helpful.

Kathryne Jadecommented on Apr 2, 2025

This code is vulnerable to SQL injection. You need to fix it.

Carin Azurecommented on Apr 2, 2025

Consider using parameterized queries to prevent SQL injection.

Neely Lavendercommented on Apr 2, 2025

This needs input validation.

Delcine Graycommented on Apr 2, 2025

Thanks for implementing the login functionality! For better security, we should add input validation and use parameterized queries. This will help prevent SQL injection attacks and make the code more secure. Here’s how we can improve it:

authService.ts


// After
async function login(username: string, password: string) {
  // Validate input
  if (!username || !password) {
    throw new Error('Username and password are required');
  }
 
  // Use parameterized query
  const query = 'SELECT * FROM users WHERE username = $1 AND password = $2';
  const result = await db.query(query, [username, password]);
  return result.rows[0];
}

Click here to learn more

Improvements

1. Security Risks

Original code is vulnerable to SQL injection
New code uses parameterized queries
Added input validation for better security

2. Code Quality

More secure implementation
Better error handling
Clearer security boundaries

3. Future Maintenance

Easier to add additional security measures
Clear documentation of security practices
Better for team collaboration

Tips

1. Start Positive

Acknowledge the working code
Show you understand the current approach
Example: “Great work on the login functionality!“

2. Explain the Benefits

Why does security matter?
How does it protect users?
Example: “This prevents SQL injection attacks”

3. Be Specific

Suggest concrete improvements
Explain why they matter
Example: “Using parameterized queries prevents SQL injection”

4. Keep It Friendly

Focus on improvement, not criticism
Use encouraging language
Example: “Thanks for considering security!”

Common Pitfalls to Avoid

1. Being Too Critical

❌ “This code is insecure. Fix it.”
✅ “Good work! Here’s how we can make it even more secure.”

2. Not Explaining Why

❌ “Use parameterized queries.”
✅ “Using parameterized queries prevents SQL injection attacks and protects user data.”

3. Ignoring the Positive

❌ “This needs better security.”
✅ “Great work! Here’s how we can make it even more secure.”

Remember: The goal is to help your teammate write better code while maintaining a positive and collaborative environment!

Last updated on April 11, 2025

Coding Standards Trade-Offs