A framework that I've built lets the application coder create sql dynamically (when they need to). If they use the tool correctly, then they will proceed in two steps: 1. build the sql (PreparedStatement) with '?' placeholders, and 2. pass all user-entered data as parameters to the PreparedStatement.
This is just the usual means of using a PreparedStatement and params, to avoid sql injection. Nothing special there.
But, I want to go an extra step: I want to verify that the coder has 'parameterized' correctly. In what sense is that possible, if at all? Can one determine syntactically all places where a '?' should appear in the SQL? Does such a tool already exist?
Edit: Example:
select blah from x where a='user-data' and b=?
Here, a has not been parameterized, while b has. I want to detect the 'a' kind of malformed sql. Does that make sense?
First of all, some of your premises are flawed.
Namely
If you don't trust your developer so much - there are 2 possible fool-proof solutions, for the price of reducing his ability of using SQL to some limited subset:
The idea is to limit your developer to these sandbox-based solutions only (dunno if such a limitation is possible out of the box though).
The above solutions are closer to your initial idea and feasible.