Is Spring Data JPA safe against SQL injection
13,702
.save()
is safe, only the usage of native queries is vulnerable.
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
You can make native queries safe also, if you use a parameter.
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
Related videos on Youtube
Author by
Dago
Updated on June 05, 2022Comments
-
Dago almost 2 years
I am trying to find information about Spring Security JPA and if methods like
.save()
are protected from sql injection.For instance I have object
Customer.
that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking.save()
. Is this safe against sql injection or Should I do the check up first? -
Dago over 7 yearsso for instance if Customer object has field name, and it is set to be a string: Select * from Customer where name = 'test' and i use save() method, nothing wrong with table wiill happen?
-
jklee over 7 yearsThe JDBC driver will escape this data appropriately before the query is executed;
-
Cosmin Oprea almost 6 yearsThe problem here is when String name = "'Cosmin' or name='Jhon'"
-
fatih yavuz about 4 yearsis CrudRepository methods like .save() .delete() is safe for sql injection ?
-
Dan Ortega about 3 years@jklee Do you have a reference of your argument, it seems to be hard to find it.