Review

Detector:

Findbugs

Target:

project '

odata4j

' version

0.6

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-0
In File:	org/odata4j/producer/jdbc/SqlStatement.java
In Method:	asPreparedStatement(Connection)
Code with Finding:	`class SqlStatement { public PreparedStatement asPreparedStatement(Connection conn) throws SQLException { PreparedStatement stmt = conn.prepareStatement(sql); for (int i = 0; i < params.size(); i++) { SqlParameter p = params.get(i); if (p.sqlType == null) { stmt.setObject(i + 1, p.value); } else { stmt.setObject(i + 1, p.value, p.sqlType); } } return stmt; } }`

Metadata

Hit	Rank	Desc	Type	Violations
No	0	SECSQLIJDBC: This use of java/sql/Connection.prepareStatement(Ljava/lang/String;)Ljava/sql/PreparedStatement; can be vulnerable to SQL injection	SQL_INJECTION_JDBC

Reviewer Name:	anna
Comment:	A prepared statement accepts only the variables of the SQL query. The database won't accept parameteres which are not correctly formatted.