Call to 'Statement.execute()' with non-constant string

Reports calls to java.sql.Statement.execute() or any of its variants which take a dynamically-constructed string as the query to execute.

Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.

Example:

  ResultSet execute(Statement statement, String name) throws SQLException {
    return statement.executeQuery("select * from " + name); // reports warning
  }

Locating this inspection

By ID

Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.

JDBCExecuteWithNonConstantString

Via Settings dialog

Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.

Settings or Preferences | Editor | Inspections | Java | Security

Use the inspection options to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled:

  private static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";

Inspection options

Here you can find the description of settings available for the Call to 'Statement.execute()' with non-constant string inspection, and the reference of their default values.

Consider 'static final' fields constant: Default value:
Not selected

Suppressing Inspection

You can suppress this inspection by placing the following comment marker before the code fragment where you no longer want messages from this inspection to appear:

//noinspection JDBCExecuteWithNonConstantString

More detailed instructions as well as other ways and options that you have can be found in the product documentation:

IntelliJ IDEA 2025.2

Inspection Details
By default bundled with:	IntelliJ IDEA 2025.2, Qodana for JVM 2025.2,

Last modified: 18 September 2025