• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Find bug issue - A prepared statement is generated from a nonconstant String

 
Gayan Keppetipola
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have a method in the following nature

public String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();

// Check if selectQuery is not null
if(selectQuery!=null){
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);
}

// Close prepare statement
preparedStatement.close();
}
} catch (SQLException e) {
log.error(
MYConstants.ERROR_OCCURRED_WHILE_GETTING_CUSTOMER_NAME, e);
}finally{
//Close the result set if it is not null
if(rs != null){
try {
rs.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
//Close the connection if it is not null
if (connection !=null){
try {
connection.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}

}
// Return name
return name;
}


Here it gives a find bug P1 error since I create the SQL query from a non constant string.

Refer line below.

final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";

The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable


I have no option here because I have to get the customercode as a parameter to the method.

Could anyone please let me know what I can do here to avoid this find bug issue.

Thanking you in advance,
Gayan
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 35279
384
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gayan,
The message means you should use a string like "where customerName = ?" rather than "where customerName = '" + customerName + "'";

The former gives you the protection from sql injection while the later does not. If the user enters a badly formatted customerName it could cause problems.

Just curious: what tool is giving you that warning? It doesn't look like a compiler error. The tool is correct and the code should be changed. I'm just wondering what tool it is.
 
Gayan Keppetipola
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jeanne,

I tried what you said and changed the query to use "where customerName = ?" and before getting the results set i called preparedStatement.setString(1,customerCode) to set the customer code parameter. The code works just fine now and i don't get that warning too.

The tool we are using to check the code quality is FindBugs. It doesn't give a compile error just a warning in P1 level.

Thanks a lot for the help
With best regards,
Gayan
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic