java.sql.Statement.execute()
or any
of its variants which take a dynamically-constructed string as the query to execute.
Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.
Example:
ResultSet execute(Statement statement, String name) throws SQLException { return statement.executeQuery("select * from " + name); // reports warning }
Use the inspection options to consider any static
final
fields as constant.
Be careful, because strings like the following will be ignored when the option is enabled:
private static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";