How to avoid “Security - A prepared statement is generated from a nonconstant String” FindBugs Warning

Question

I am working on a project that has a piece of code like the one below:

String sql = \"SELECT MAX(\" + columnName + \") FROM \" + tableName;                
Prepa         


        

Answer 1

If you make sure that is no possibility of SQL injection, use the SuppressFBWarnings annotation on the method:

@edu.umd.cs.findbugs.annotations.SuppressFBWarnings("SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING")