How to avoid “Security - A prepared statement is generated from a nonconstant String” FindBugs Warning

Question

I am working on a project that has a piece of code like the one below:

String sql = \"SELECT MAX(\" + columnName + \") FROM \" + tableName;                
Prepa         


        

Answer 1

Neither String.format nor StringBuilder (or StringBuffer) helped me.

Solution was "prepareStatement" isolation:

private PreparedStatement prepareStatement(Connection conn, String sql) throws SQLException {
    return conn.prepareStatement(sql);
}