这是一个错误的警报，您正在按照正确的方式进行操作.

This is a false alarm, you're doing it the right way.

有一些框架可以帮助您解决这个问题(例如Spring的NamedParameterJdbcTemplate，但它们基本上是在后台做同样的事情.

There are frameworks that can help you with this (e.g. Spring's NamedParameterJdbcTemplate, but they basically do the same thing under the hood.

静态分析器可能正在通过连接字符串来捕获正在构建查询的事实，或者某种程度上涉及到输入的大小，并将其标记为危险(仅在此处猜测).

The static analyzer is probably catching the fact you're building your query by concatenating strings, or that the size of input is somehow involved, and flagging it as a danger (only guessing here).

另一方面，与SQL注入无关的潜在问题是，您只能使用特定数量(取决于数据库)的那些参数-AFAIK在Oracle中限制为1000，而在Teradata中限制为2000，确定别人.如果需要在该IN子句中放置许多值，则需要使用其他方法，例如使用临时表或小批量执行查询并将结果合并到Java中.

On a side note, a potential problem that however has nothing to do with SQL injection is that you can only use certain number (DB-dependent) of those parameters - AFAIK the limit's 1000 in Oracle, about 2000 in Teradata, not sure about others. If you need to put many values in that IN clause, you'll need to use a different approach like using a temporary table or performing the query in smaller batches and merging the results in Java.