Is Spring Data JPA safe against SQL injection

database spring-data spring-data-jpa sql-injection
13,702

.save() is safe, only the usage of native queries is vulnerable.

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

You can make native queries safe also, if you use a parameter.

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
Share:
13,702

Related videos on Youtube

Dago
Author by

Dago

Updated on June 05, 2022

Comments

  • Dago
    Dago almost 2 years

    I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.

    For instance I have object Customer. that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?

  • Dago
    Dago over 7 years
    so for instance if Customer object has field name, and it is set to be a string: Select * from Customer where name = 'test' and i use save() method, nothing wrong with table wiill happen?
  • jklee
    jklee over 7 years
    The JDBC driver will escape this data appropriately before the query is executed;
  • Cosmin Oprea
    Cosmin Oprea almost 6 years
    The problem here is when String name = "'Cosmin' or name='Jhon'"
  • fatih yavuz
    fatih yavuz about 4 years
    is CrudRepository methods like .save() .delete() is safe for sql injection ?
  • Dan Ortega
    Dan Ortega about 3 years
    @jklee Do you have a reference of your argument, it seems to be hard to find it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring data : CrudRepository's save method and update
Spring data JpaRepository pagination and group by
Return custom object from Spring Data Jpa query
Streaming query results closes prematurely - Spring Data JPA and Hibernate
Spring Data: limit result for custom query
Spring Boot Query annotation with nativeQuery doesn't work in Postgresql
Getting next value from sequence with jpa repository in postgreSQL
How to use order by and Limit in Spring Data JPA using QueryDSL
How to create Jpa repository dynamically inside a class?
Spring Data: multiple repository interfaces into a single 'repository' service class