This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds and have James Denton on-line!
See this thread for details.
Win a copy of Learning OpenStack Networking: Build a solid foundation in virtual networking technologies for OpenStack-based clouds this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Liutauras Vilda
  • Campbell Ritchie
  • Tim Cooke
  • Bear Bibeault
  • Devaka Cooray
Sheriffs:
  • Jeanne Boyarsky
  • Knute Snortum
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Ganesh Patekar
  • Stephan van Hulst
  • Pete Letkeman
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Ron McLeod
  • Vijitha Kumara

Find bug issue - A prepared statement is generated from a nonconstant String  RSS feed

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I have a method in the following nature

public String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();

// Check if selectQuery is not null
if(selectQuery!=null){
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);
}

// Close prepare statement
preparedStatement.close();
}
} catch (SQLException e) {
log.error(
MYConstants.ERROR_OCCURRED_WHILE_GETTING_CUSTOMER_NAME, e);
}finally{
//Close the result set if it is not null
if(rs != null){
try {
rs.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
//Close the connection if it is not null
if (connection !=null){
try {
connection.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}

}
// Return name
return name;
}


Here it gives a find bug P1 error since I create the SQL query from a non constant string.

Refer line below.

final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";

The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable


I have no option here because I have to get the customercode as a parameter to the method.

Could anyone please let me know what I can do here to avoid this find bug issue.

Thanking you in advance,
Gayan
 
author & internet detective
Sheriff
Posts: 38561
654
Eclipse IDE Java VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Gayan,
The message means you should use a string like "where customerName = ?" rather than "where customerName = '" + customerName + "'";

The former gives you the protection from sql injection while the later does not. If the user enters a badly formatted customerName it could cause problems.

Just curious: what tool is giving you that warning? It doesn't look like a compiler error. The tool is correct and the code should be changed. I'm just wondering what tool it is.
 
Gayan Keppetipola
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Jeanne,

I tried what you said and changed the query to use "where customerName = ?" and before getting the results set i called preparedStatement.setString(1,customerCode) to set the customer code parameter. The code works just fine now and i don't get that warning too.

The tool we are using to check the code quality is FindBugs. It doesn't give a compile error just a warning in P1 level.

Thanks a lot for the help
With best regards,
Gayan
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!