Inspectopedia
 
2024.3

Call to 'Statement.execute()' with non-constant string

Warning
New
Last modified: 03 December 2024

Reports calls to java.sql.Statement.execute() or any of its variants which take a dynamically-constructed string as the query to execute.

Constructed SQL statements are a common source of security breaches. By default, this inspection ignores compile-time constants.

Example:

Use the inspection options to consider any static final fields as constant. Be careful, because strings like the following will be ignored when the option is enabled: