Usman Mutawakil Usman Mutawakil - 6 months ago 83
Java Question

Is the @Query annotation in spring SQL Injection safe?

Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?

String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";

@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);

Bottom Line: Is the code above susceptible to SQL injection?


It looks like Spring Data's @Query is just a wrapper around JPA

See this SO answer: Are SQL injection attacks possible in JPA?