Hi all,
I have a method in the following nature
public
String getNameForCustomer(final String customerCode) throws MYException{
// name string
String name = null;
// The select query to get the public key
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'";
// Declare variables
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet rs = null;
try {
// Get connection
connection = myDataSource.getConnection();
// Check if selectQuery is not null
if(selectQuery!=null){
// Get prepare statement
preparedStatement = connection.prepareStatement(selectQuery);
// Execute query
rs = preparedStatement.executeQuery();
while (rs.next()) {
// Get the public key
name = rs.getString(1);
}
// Close prepare statement
preparedStatement.close();
}
} catch (SQLException e) {
log.error(
MYConstants.ERROR_OCCURRED_WHILE_GETTING_CUSTOMER_NAME, e);
}finally{
//Close the result set if it is not null
if(rs != null){
try {
rs.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
//Close the connection if it is not null
if (connection !=null){
try {
connection.close();
} catch (SQLException e) {
log.error(MYConstants.DATE_BASE_CONNECTION_EXCEPTION);
throw new MYException (MYConstants.DATE_BASE_CONNECTION_EXCEPTION, e);
}
}
}
// Return name
return name;
}
Here it gives a find bug P1 error since I create the SQL query from a non constant string.
Refer line below.
final String selectQuery = MYConstants.SQL_SELECT_NAME_FROM_CUSTOMER_WHERE_CUSTOMER_NAME+ customerCode + "'"; The following error description is given as well
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable I have no option here because I have to get the
customercode as a parameter to the method.
Could anyone please let me know what I can do here to avoid this find bug issue.
Thanking you in advance,
Gayan