A prepared statement is generated from a nonconstant String

Findbugs报错:

A prepared statement is generated from a nonconstant String


The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.


修改方法:
java.sql.PreparedStatement如果含有变量,改成?,然后用setString、setInt等方法替代。例如

            prepareStatement = conn.prepareStatement("insert into tableName (id,name) values (?,?)");

            prepareStatement.setString(1, value1);

            prepareStatement.setString(2, value2);


你可能感兴趣的:(A prepared statement is generated from a nonconstant String)