Does Scala Anorm String Replacement Sanitize Inputs?

Question

I am using the Play! framework along with Anorm to access the database. I often see examples like the following where object members are injected into the SQL statement directly.

My question is, are these inputs sanitized? Most examples look like the following:

object Person {     def save(p:Person) {         DB.withConnection ("default") { implicit connection =>             SQL("""                  INSERT INTO person(firstName,lastName)                  values ({firstName}, {lastName})                 """                ).on(                 "firstName" -> p.firstName,                 "lastName"  -> p.lastName             ).executeUpdate()         }     } } 

I will attempt to find out by way of hacking, but it's easy to make a mistake so I thought asking was more appropriate, and I can draw on the wisdom of the crowd.

Answer 1

According to its source code, Anorm builds onlyjava.sql.PreparedStatements, which prevent such SQL injection. (see the PreparedStatement wikipedia page for a general explanation)