Home/ Questions/Q 7907723
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T11:36:02+00:00

I am working on a project that has a piece of code like the

  • 0

I am working on a project that has a piece of code like the one below:

String sql = "SELECT MAX(" + columnName + ") FROM " + tableName;                
PreparedStatement ps = connection.prepareStatement(sql);

Is there any way that I can change this code so that FindBugs stop giving me a
“Security – A prepared statement is generated from a nonconstant String” warning ?

Please assume that this code is safe regarding SQL INJECTION since I can control elsewhere in the code the possible
values for “tableName” and “columnName” (they do not come come directly from user input).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Do not concatenate the sql String by +. You can use

    String sql = String.format("SELECT MAX(%s) FROM %s ", columnName, tableName);

    This is slower than concatenating a String so you should initialize this static then this is not a problem.

    I think using a StringBuilder will also fix this warning.

    Another way you can avoid this warning is to add @SuppressWarnings("SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING") above that string (or the method/or the class).

    You could also use a Filter File to define rules which should be excluded.

    • 0