How to avoid “Security - A prepared statement is generated from a nonconstant String” FindBugs Warning

前端 未结 7 2966
灰色年华
灰色年华 2021-02-19 21:39

I am working on a project that has a piece of code like the one below:

String sql = \"SELECT MAX(\" + columnName + \") FROM \" + tableName;                
Prepa         


        
7条回答
  •  旧巷少年郎
    2021-02-19 22:08

    Try using the following...

    private static final String SQL = "SELECT MAX(%s) FROM %s";
    

    And then using a String.format() call when you use it...

    PreparedStatement ps = connection.prepareStatement(String.format(sql,columnName,tableName));
    

    If that doesn't solve the problem, you can always ignore that check; turn it off in your FindBugs configuration.

    If that doesn't work (or isn't an option), some IDEs (like IntelliJ) will also let you suprress warnings with either specially formatted comments or annotations.

提交回复
热议问题