Eduardo
Reputation: 1199
Native sql query- SQL Injection Attack
I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form.
If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user.
Upvotes: 4
Views: 7902
Answers (1)
Maciej Dobrowolski
Reputation: 12122
You should use positional parameters binding:
String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");
Please note that you should not use named parameters binding (:empName) in your query as JPA Spec says
Only positional parameter binding may be portably used for native queries.
This should secure you from SQL Injection attacks.
Upvotes: 10
Related Questions
- Avoiding SQL injection in java
- How to prevent SQL Injection with JPA and Hibernate?
- How to prevent sql injection in JPA
- Are SQL injection attacks possible in JPA?
- JAVA - Possible SQL Injection
- How to prevent SQL injection attack when a sql query is passed in from the UI
- Prevent Sql Injection (Java)
- SQL Injection and possible attacks
- Is this JPA query vulnerable to SQL injection?
- Avoiding SQL Injection