prepared statement的 SQL injection问题
szws 2009-01-06 10:09:36 用findbugs检查如下代码,会报错误:
SQL:A prepared statement is generated from a nonconstant String
The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.
StringBuffer sql = new StringBuffer(128);
sql.append("insert into xxx(aaa)";
sql.append(" values(?)";
String istSql = sql.toString();//mod by szw
String sql1 = "insert into xxx(aaa) values(?)";
pstmt = conn.prepareStatement(sql.toString());//findbugs报错
修改1: pstmt = conn.prepareStatement(istSql);//findbugs还是报错
修改2: pstmt = conn.prepareStatement(sql1);//findbugs不会报错
请问这是为啥呢