Inspectopedia Help

Non-safe string is used as SQL

Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL, JPA QL, Hibernate QL and PostgreSQL

A safe object is:

  • a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object

  • a result of a call of a method, whose receiver and arguments are safe

  • a private field in the same file, which is assigned only with a string literal and has a safe initializer

  • a final field in the same file, which has a safe initializer

  • a local variable which is assigned from safe-objects

This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable.

Static final fields are considered as safe.

The analysis is performed only inside one file. Example:

public void save(String sql) { JdbcTemplate jdbcTemplate = new JdbcTemplate(); jdbcTemplate.queryForList(sql); }

New in 2023.2

Inspection options

Here you can find the description of settings available for the Non-safe string is used as SQL inspection, and the reference of their default values.

Consider parameters of private methods as safe

Default: Selected

Consider private or final fields in the same class as safe

Default: Selected

Report strings that are too complex to verify

Not selected

Untainted annotations

[javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted]

Safe classes

[java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass, char, java.lang.Character, kotlin.Char, int, java.lang.Integer, kotlin.Int, long, java.lang.Long, kotlin.Long]

Untainted methods


Inspection Details

By default bundled with:

IntelliJ IDEA 2024.1, Qodana for JVM 2024.1,

Can be installed with plugin:

Persistence Frameworks, 241.14841

Last modified: 12 March 2024