I’m trying to understand how exactly can someone that doesn’t already have access to the source code exploit a non-final class that has a constructor which invokes overridable functions (functions not marked final). This question comes from the fact that after scanning my source code with a Source Code Analyzer (Fortify), it showed a few findings about “Code Correctness: Constructor
Tag: fortify
HP Fortify SQL injection issue on preparedStatement in java
I am using HP Fortify to measure code quality of my java code. HP Fortify is reporting SQL Injection error on so how to resolve this? Answer From my experience, HP Fortify will report an error on this scenario if it cannot trace the origin of all the Strings you are using to build your queryString to constants. If any