java.sql.Connection.prepareStatement()
, java.sql.Connection.prepareCall()
, or any of their
variants which take a dynamically-constructed string as the statement to prepare.
Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.
Example:
String bar() { return "bar"; } Connection connection = DriverManager.getConnection("", "", ""); connection.("SELECT * FROM user WHERE name='" + bar() + "'");Use the inspection settings to consider any
static
final
fields as constants. Be careful, because strings like the
following will be ignored when the option is enabled:
static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";