SQL built with string concatenation (Java)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A JDBC executeQuery/prepareStatement call concatenates a value into the SQL string with + instead of using a PreparedStatement placeholder.
Why it matters
Concatenating a value into the SQL passed to executeQuery or prepareStatement builds the query from text, which is SQL injection when the value is user-controlled. A PreparedStatement with placeholders is the standard fix. It is a heuristic because concatenating a constant is safe but looks identical.
How to fix it
Use a PreparedStatement with ? placeholders and setString/setInt to bind each value, and stop concatenating into the SQL. If you use JPA or an ORM, use named parameters or the criteria API rather than string building.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo