Usman Mutawakil Usman Mutawakil - 1 year ago 299
Java Question

Is the @Query annotation in spring SQL Injection safe?

Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?

String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";

@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);

Bottom Line: Is the code above susceptible to SQL injection?

Answer Source

It looks like Spring Data's @Query is just a wrapper around JPA

See this SO answer: Are SQL injection attacks possible in JPA?

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download