Menu
I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.
For instance I have object Customer. that I want to persist to my database.
I am using CustomerRepository Spring implementation to operate on that entity.
Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?
871
Note that using JPA or other ORMs without prepared statements with bound parameters won't protect you from an SQL injection.
JPA and other ORMs relieves us from creating hand-coded SQL statements, but they won't prevent us from writing vulnerable code.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
Spring Data JPA aims to significantly improve the implementation of data access layers by reducing the effort to the amount that's actually needed. As a developer you write your repository interfaces, including custom finder methods, and Spring will provide the implementation automatically.
.save() is safe, only the usage of native queries is vulnerable.
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
You can make native queries safe also, if you use a parameter.
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
