Critical bug fixes and recall improvements (#68)

tests/fixtures/realistic/sqli_xlang/SqliJavaConcat.java

@@ -0,0 +1,20 @@
+// Phase 15 — Java JDBC raw-string concat SQLi positive.
+// `Statement.executeQuery` is a flat SQL_QUERY sink in
+// `labels/java.rs`; concatenated `request.getParameter` value flows
+// directly into the SQL string with no parameterisation.
+package com.example;
+
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.Statement;
+import javax.servlet.http.HttpServletRequest;
+
+public class SqliJavaConcat {
+    public ResultSet lookup(HttpServletRequest request) throws Exception {
+        String name = request.getParameter("name");
+        Connection conn = DriverManager.getConnection("jdbc:h2:mem:db");
+        Statement stmt = conn.createStatement();
+        return stmt.executeQuery("SELECT * FROM users WHERE name = '" + name + "'");
+    }
+}