Reports calls to java.sql.Connection.prepareStatement(), java.sql.Connection.prepareCall(), or any of their variants, which take a dynamically-constructed string as the statement to prepare. Constructed SQL statements are a common source of security breaches. By default this inspection ignores compile-time constants.

Use the checkbox below to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled:

private static final String SQL =
  "SELECT * FROM user WHERE name='" + getUserInput() + "'";