Forums Register Login
Find bug issue - A prepared statement is generated from a nonconstant String
Hi all,

I have a method in the following nature

public String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();

// Check if selectQuery is not null
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);

// Close prepare statement
} catch (SQLException e) {
//Close the result set if it is not null
if(rs != null){
try {
} catch (SQLException e) {
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
//Close the connection if it is not null
if (connection !=null){
try {
} catch (SQLException e) {
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);

// Return name
return name;

Here it gives a find bug P1 error since I create the SQL query from a non constant string.

Refer line below.

final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";

The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable

I have no option here because I have to get the customercode as a parameter to the method.

Could anyone please let me know what I can do here to avoid this find bug issue.

Thanking you in advance,
The message means you should use a string like "where customerName = ?" rather than "where customerName = '" + customerName + "'";

The former gives you the protection from sql injection while the later does not. If the user enters a badly formatted customerName it could cause problems.

Just curious: what tool is giving you that warning? It doesn't look like a compiler error. The tool is correct and the code should be changed. I'm just wondering what tool it is.
Hi Jeanne,

I tried what you said and changed the query to use "where customerName = ?" and before getting the results set i called preparedStatement.setString(1,customerCode) to set the customer code parameter. The code works just fine now and i don't get that warning too.

The tool we are using to check the code quality is FindBugs. It doesn't give a compile error just a warning in P1 level.

Thanks a lot for the help
With best regards,
Wink, wink, nudge, nudge, say no more ... https://richsoil.com/cards

This thread has been viewed 11930 times.

All times above are in ranch (not your local) time.
The current ranch time is
Jun 17, 2018 23:51:57.