请求参数导致SQL注入带有准备好的语句

我看到一个SQL注入

SELECT count(id) FROM user  WHERE code= 67 AND user.postal_code like  UPPER('%AL%')

我将此设置为

private int loaddGrantees(Long code, String value)
{
DBConnectionManager dBConnectionManager = null;
Connection conn = null;
PreparedStatement pstmt = null;
ResultSet rs = null;
dBConnectionManager = new DBConnectionManager();
conn = dBConnectionManager.getConnectionObject(XXX,XXX);
string sql =  SELECT count(id) FROM user  WHERE code= ? AND user.postal_code LIKE UPPER(?);
pstmt = conn.prepareStatement(sql);
pstmt.setLong(1, code);
pstmt.setString(2, "%" +value+ "%");
rs = pstmt.executeQuery();
while (rs.next()) {
number = rs.getInt(1);
}
return number;
}

从HTTPRequest中，我看到该值是从String value＝request.getParameter("Val"(；

我能知道如何避免postal_code的sql注入吗？我看到代码参数没有从httpRequest 中检索到

> Vulnerability says:
> 
> /XX/XX/XXX/XX/XX/6769/XX/AL/XX page of the application has been found
> to be vulnerable to a SQL Injection attack in the path parameter
> :value.
> 
> The source code that uses this path parameter in the page is:
> 
> loadGrantees(Person.java:5036)
> org.apache.tomcat.dbcp.dbcp2.DelegatingPreparedStatement.executeQuery();
> 
>     ...   }   ... }
> 
> This code has generated the following query in order to interact with
> the database, using the path parameter value: Note: AL represents the
> value which I am passing in the preparedstatement
> 
> SELECT count(id) FROM user  WHERE code= ? AND user.postal_code LIKE
> UPPER(?); The path parameter searchString in the URL
> /XX/XX/XXX/XX/XX/6769/XX/AL/XX can be modified to contain SQL syntax
> hence changing the query structure, causing unexpected application
> behavior which could lead to information theft, privileges escalation
> and unauthorized actions performed by the attacker.