java - Blind Sql injection despite using prepared statement -

we had security scan done our application , found few blind sql injection issues . found getting issue after using prepared statement .

using prepared statement alone not solve bind sql injection issues? having string concatenation in prepared statement spoils advantage ?

private static final string selectstaement=" select email,phone tuser name=? "; public void execute(string name) throws sqlexception {     preparedstatement preparedstatement = theconnection.preparestatement(selectstaement + " order name");      preparedstatement.setstring(1, name);     rs = preparedstatement.executequery();  } 

can let me know whats wrong code , how solve ? data validation way ? if want allow chars ?

your code fine security standpoint , false alarm reported the scanner (whichever 1 is).

you should configure scanner ignore these kinds of warnings.