• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Find bug issue - A prepared statement is generated from a nonconstant String

 
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I have a method in the following nature

public String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();

// Check if selectQuery is not null
if(selectQuery!=null){
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);
}

// Close prepare statement
preparedStatement.close();
}
} catch (SQLException e) {
log.error(
MYConstants.ERROR_OCCURRED_WHILE_GETTING_CUSTOMER_NAME, e);
}finally{
//Close the result set if it is not null
if(rs != null){
try {
rs.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
//Close the connection if it is not null
if (connection !=null){
try {
connection.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}

}
// Return name
return name;
}


Here it gives a find bug P1 error since I create the SQL query from a non constant string.

Refer line below.

final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";

The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable


I have no option here because I have to get the customercode as a parameter to the method.

Could anyone please let me know what I can do here to avoid this find bug issue.

Thanking you in advance,
Gayan
 
author & internet detective
Posts: 41860
908
Eclipse IDE VI Editor Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Gayan,
The message means you should use a string like "where customerName = ?" rather than "where customerName = '" + customerName + "'";

The former gives you the protection from sql injection while the later does not. If the user enters a badly formatted customerName it could cause problems.

Just curious: what tool is giving you that warning? It doesn't look like a compiler error. The tool is correct and the code should be changed. I'm just wondering what tool it is.
 
Gayan Keppetipola
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Jeanne,

I tried what you said and changed the query to use "where customerName = ?" and before getting the results set i called preparedStatement.setString(1,customerCode) to set the customer code parameter. The code works just fine now and i don't get that warning too.

The tool we are using to check the code quality is FindBugs. It doesn't give a compile error just a warning in P1 level.

Thanks a lot for the help
With best regards,
Gayan
reply
    Bookmark Topic Watch Topic
  • New Topic