Skip to content

HP Fortify SQL injection issue on preparedStatement in java

I am using HP Fortify to measure code quality of my java code.

HP Fortify is reporting SQL Injection error on

PreparedStatement stmt = connnection.prepareStatement(queryString);

so how to resolve this?



From my experience, HP Fortify will report an error on this scenario if it cannot trace the origin of all the Strings you are using to build your queryString to constants. If any part of the string is read from the disk or passed as a request parameter, then you are at risk of being vulnerable to a SQL injection.

The recommended solution is to never use external strings when building your SQL query string. Your SQL String should only be built from String constants, and every parameter inserted at runtime should be inserted as a bind variable, which means its location should appear as a “?” in the SQL string, and its value should be set using the setX() methods of the PreparedStatement class.

Note that you should always used bind variables when creating PreparedStatements in Java: It’s not only a good security practice, it’s a good performance practice as it will not require the database to re-parse the SQL query every time a parameter value changes.