I have a code as following :

final String query = "SELECT id FROM " + getSimpleName() + " WHERE " + relationName + ".id = :successor";
final Query queryConcerned = this.entityManager.createQuery(query);
query.setParameter("successor", successorId);

But Sonar gives the following warning :

Use a variable binding mechanism to construct this query instead of concatenation.

As you can see the values I'm concatenating are not parameters, in doing so, am I vulnerable to SQL injections, if so, how can I solve this ?

  • The fix for this is to simply not concatenate your query together, but to use a single string instead. As to how you do this, you'll need to find a way to not have this need. If you need to support say 3 tables, then create 3 statements, one for each table, each using a single string (of course, you have another concatenation in there, but hopefully you get the point). May 9, 2018 at 15:09
  • @TimBiegeleisen yes I got your point, the problem is this code is generic and the tables to support are unknown, unfortunately building a string for each case is not possible atm. May 9, 2018 at 15:12
  • Then ignore those warnings, there is no reason why this should stop your code from compiling. Anyway, the warnings are just saying that you might get injected. If you strictly control those table names internally, with zero input from the outside, it shouldn't be too dangerous. May 9, 2018 at 15:14


Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.