A prepared statement is generated from a nonconstant StringThe code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable.如果用prepared statement,就是在一个动态string里设置值啊,这到底啥意思?
setString(1,"tom");
setInt(2,age);
如果用了的话可以把toString去掉后试试,或者把该语句定义为final的试下