[Logo]
Forums Register Login
Find bug issue - A prepared statement is generated from a nonconstant String
Hi all,

I have a method in the following nature

public String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();

// Check if selectQuery is not null
if(selectQuery!=null){
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);
}

// Close prepare statement
preparedStatement.close();
}
} catch (SQLException e) {
log.error(
MYConstants.ERROR_OCCURRED_WHILE_GETTING_CUSTOMER_NAME, e);
}finally{
//Close the result set if it is not null
if(rs != null){
try {
rs.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
//Close the connection if it is not null
if (connection !=null){
try {
connection.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}

}
// Return name
return name;
}


Here it gives a find bug P1 error since I create the SQL query from a non constant string.

Refer line below.

final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";

The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable


I have no option here because I have to get the customercode as a parameter to the method.

Could anyone please let me know what I can do here to avoid this find bug issue.

Thanking you in advance,
Gayan
Gayan,
The message means you should use a string like "where customerName = ?" rather than "where customerName = '" + customerName + "'";

The former gives you the protection from sql injection while the later does not. If the user enters a badly formatted customerName it could cause problems.

Just curious: what tool is giving you that warning? It doesn't look like a compiler error. The tool is correct and the code should be changed. I'm just wondering what tool it is.
Hi Jeanne,

I tried what you said and changed the query to use "where customerName = ?" and before getting the results set i called preparedStatement.setString(1,customerCode) to set the customer code parameter. The code works just fine now and i don't get that warning too.

The tool we are using to check the code quality is FindBugs. It doesn't give a compile error just a warning in P1 level.

Thanks a lot for the help
With best regards,
Gayan

This thread has been viewed 12250 times.

All times above are in ranch (not your local) time.
The current ranch time is
Sep 26, 2018 08:16:26.