Inspectopedia Help

Call to 'Statement.execute()' with non-constant string

Reports calls to java.sql.Statement.execute() or any of its variants which take a dynamically-constructed string as the query to execute.

Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.


ResultSet execute(Statement statement, String name) throws SQLException { return statement.executeQuery("select * from " + name); // reports warning }

Use the inspection options to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled:

private static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";

Inspection options

Here you can find the description of settings available for the Call to 'Statement.execute()' with non-constant string inspection, and the reference of their default values.

Consider 'static final' fields constant

Not selected

Inspection Details

By default bundled with:

IntelliJ IDEA 2024.1, Qodana for JVM 2024.1,

Can be installed with plugin:

Java, 241.16690

Last modified: 29 April 2024