JDBCPrepareStatementWithNonConstantString

Reports calls to java.sql.Connection.prepareStatement(), java.sql.Connection.prepareCall(), or any of their variants which take a dynamically-constructed string as the statement to prepare.

Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.

Example:

String bar() { return "bar"; }

  Connection connection = DriverManager.getConnection("", "", "");
  connection.("SELECT * FROM user WHERE name='" + bar() + "'");

Use the inspection settings to consider any static final fields as constants. Be careful, because strings like the following will be ignored when the option is enabled:

static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";