MDS/openide
1
0
Fork 0
mirror of https://gitflic.ru/project/openide/openide.git synced 2025-12-16 22:51:17 +07:00
Code Issues Packages Projects Releases Wiki Activity
Files
40795fe787fd37ab1a4626d72871627cd74cd087
openide/java/java-impl/resources/inspectionDescriptions/JDBCPrepareStatementWithNonConstantString.html
Leonid Shalupov 40795fe787 IJI-2422: community/java: move resources under resources root 
GitOrigin-RevId: 8b2b63fc6db476ca0c2cfe5cadd84db6c4236d0f
2025-02-05 04:43:28 +00:00

23 lines
929 B
HTML
Raw Blame History

<html>
<body>
Reports calls to <code>java.sql.Connection.prepareStatement()</code>, <code>java.sql.Connection.prepareCall()</code>, or any of their
variants which take a dynamically-constructed string as the statement to prepare.
<p>
Constructed SQL statements are a common source of
security breaches. By default, this inspection ignores compile-time constants.
</p>
<p><b>Example:</b></p>
<pre><code>
String bar() { return "bar"; }
Connection connection = DriverManager.getConnection("", "", "");
connection.("SELECT * FROM user WHERE name='" + bar() + "'");
</code></pre>
<!-- tooltip end -->
Use the inspection settings to consider any <code>static</code> <code>final</code> fields as constants. Be careful, because strings like the
following will be ignored when the option is enabled:
<pre><code>
static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";
</code></pre>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink