I'm working for a customer with a huge legacy codebase consisting of various Java en JSP based applications.
Most querying is done using the home-build 'orm' system. Some applications use Plain Old JDBC. Some applications are based on Hibernate (yes HQL build with plus signs is a potential problem as well). Some of the older applications are entirely writen in JSP.
I've found a couple of SQL inject bugs manually. But I could really use some sort of tool to search for potential weak spots.
Any ideas?
I would recommend FindBugs (there is also an eclipse plugin) which can track down these issues and many more.
We are using it at work, it's fast and it's worth the money (as in free). We've solved some common problems with its help.