Non-safe string is used as SQL

Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL, JPA QL, Hibernate QL and PostgreSQL

A safe object is:

a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object
a call result of a method, whose receiver and arguments are safe
a private field in the same file, which is assigned only with a string literal and has a safe initializer
a final field in the same file, which has a safe initializer
a local variable which is assigned from safe-objects

This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable. Static final fields are considered as safe.

The analysis is performed only inside one file. Example:

    public void save(String sql) {
        JdbcTemplate jdbcTemplate = new JdbcTemplate();
        jdbcTemplate.queryForList(sql);
    }

Locating this inspection

By ID

Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.

SqlSourceToSinkFlow

Via Settings dialog

Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.

Settings or Preferences | Editor | Inspections | JVM languages

Inspection ID: SqlSourceToSinkFlow

New in 2023.2

Inspection options

Here you can find the description of settings available for the Non-safe string is used as SQL inspection, and the reference of their default values.

Consider parameters of private methods as safe

Option ID:

parameterOfPrivateMethodIsUntainted

Default value:

Selected

Consider private or final fields in the same class as safe

Option ID:

privateOrFinalFieldSafe

Default value:

Selected

Report strings that are too complex to verify

Option ID:

warnIfComplex

Default value:

Not selected

Untainted annotations

Option ID:

untaintedAnnotations

Default value:

[javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted]

Safe classes

Option ID:

skipClasses

Default value:

[java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass, char, java.lang.Character, kotlin.Char, int, java.lang.Integer, kotlin.Int, long, java.lang.Long, kotlin.Long]

Untainted methods

Default value:

None

Suppressing Inspection

You can suppress this inspection by placing the following comment marker before the code fragment where you no longer want messages from this inspection to appear:

//noinspection SqlSourceToSinkFlow

More detailed instructions as well as other ways and options that you have can be found in the product documentation:

IntelliJ IDEA 2025.3

Inspection Details
By default bundled with:	IntelliJ IDEA 2025.3, Qodana for JVM 2025.3,

Last modified: 03 December 2025