JPA Query - SQL injection in positional parameters.

Question

JPA Query - SQL injection in positional parameters.

As I read in many articles, when I use the JPA / Hibernate query, it is useful to set parameters in my queries, so SQL injection is avoided. For instance:

select user from User user where user.name = :name and user.surname = :surname

My problem is that in some cases I need to use my own query when creating my query.

I will use the entity manager and createNativeQuery. But in this case, the parameters will be positional. How:

select * from users where user_name = ? and user_surname = ?

Then in my request I will use the method setParameter(1, "name"), etc. So, in this case, "sql injection proof", for example, when in a parameterized query?

+5

sql sql injection hibernate jpa

Panos Apr 6 '12 at 19:02

source share

2 answers

( , ) PDO.

, 0 .

, ,

+1

jas- 06 . '12 19:11

kommradHomer · Accepted Answer · 2012-04-06T20:04:41+0000

if you do not use string operations to build your query, for example

"SELECT foo FROM bar Where id="+myParameter+" more sql ..."

.

JPA Query - SQL injection in positional parameters.

More articles: