CODEWITHSUNDEEP
javaspring-bootspring-data-jpajpqlsnyk
autoboss
autoboss

Reputation: 21

SQL Injection using Jpa

Snyk is reporting a sql injection which I don't know how to resolve. I have tried using preparedStatement which does resolve the issue but returns an incorrect data.

The query:

    @Query(value = "SELECT dsm.*, rc.order FROM StoreInfo.response_configuration rc INNER JOIN StoreInfo.data_source_mapping dsm ON rc.data_source_mapping_id = dsm.id WHERE rc.request_source_id = (SELECT ID FROM StoreInfo.request_source where name = :source and active = true)", nativeQuery = true)
public List<DataSourceMappingEntity> getMappings(@Param("source") String source);

Also when I use preparedStatement or Query no data is returned but when I use the Jpa like the above, it returns some data. example:

private List<DataSourceMappingEntity> getMappingsUsingPreparedStatement(String source) {
    String query = "SELECT dsm.*, rc.order " +
            "FROM StoreInfo.response_configuration rc " +
            "INNER JOIN StoreInfo.data_source_mapping dsm ON rc.data_source_mapping_id = dsm.id " +
            "WHERE rc.request_source_id = (" +
            "    SELECT ID FROM StoreInfo.request_source WHERE name = ? AND active = true" +
            ")";
    Query sqlQuery = entityManager.createNativeQuery(query, DataSourceMappingEntity.class);
    List results = sqlQuery.setParameter(1, source).getResultList();
    
    return results;
}

Anyone with ideas on how to resolve this? thank you

Upvotes: 1

Views: 82

Answers (0)

Related Questions