Dago
Reputation: 808
Is Spring Data JPA safe against SQL injection
I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.
For instance I have object Customer. that I want to persist to my database.
I am using CustomerRepository Spring implementation to operate on that entity.
Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?
Upvotes: 24
Views: 19486
Answers (1)
jklee
Reputation: 2268
.save() is safe, only the usage of native queries is vulnerable.
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
You can make native queries safe also, if you use a parameter.
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
Upvotes: 21
Related Questions
- Is Java Spring JPA native query SQL injection proof?
- SQL Injection Prevention in Spring Boot
- Is SpringBoot Data JPA Repository Safe Against SQL Injection?
- Avoid SQL Injection in Spring JPA
- How to prevent sql injection in JPA
- Are Spring SpEL queries safe from SQL injection attacks?
- Are SQL injection attacks possible in JPA?
- Does Spring JDBC provide any protection from SQL injection attacks?
- how much safe from SQL-Injection if using hibernate
- Is the SimpleJdbcTemplate in Spring safe from SQL Injection?