A prepared statement is generated from a nonconstant String

Findbugs报错：

A prepared statement is generated from a nonconstant String

The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.

修改方法：
java.sql.PreparedStatement如果含有变量，改成？，然后用setString、setInt等方法替代。例如

            prepareStatement = conn.prepareStatement("insert into tableName (id,name) values (?,?)");

            prepareStatement.setString(1, value1);

            prepareStatement.setString(2, value2);