Menu
I realise it's possible to pass in a manually constructed String to the execute(String) which is vulnerable. However I'm interested in where you pass the parameters to the query using MapSqlParameterSource or one of the other exposed methods such as in the below examples. Digging into the source it looks like it's using a prepared statement in each of these, so I think injection is not possible. However I'm no security expert so just wanted to confirm.
Example 1:
getSimpleJdbcTemplate().queryForObject("SELECT * FROM table WHERE value = ?",
new ObjectMapper(), code);
Example 2:
getSimpleJdbcTemplate()
.update(
"insert into table "
+ "(column1, column2, column3, column4, column5) VALUES "
+ "(:column1, :column2, :column3, :column4, :column5)",
new MapSqlParameterSource().addValue("column1",
value1).addValue("column2",
value2).addValue("column3",
value3).addValue("column4",
value4).addValue("column5", value5));
867
Note that using JPA or other ORMs without prepared statements with bound parameters won't protect you from an SQL injection.
You should always use parameterized statements where available, they are your number one protection against SQL injection. You can see more examples of parameterized statements in various languages in the code samples below.
The artist parameter is vulnerable to SQL Injection. The following payload modifies the query to look for an inexistent record. It sets the value in the URL query string to -1 . Of course, it could be any other value that does not exist in the database.
Using parameters in a NamedParameterJdbcTemplate will use JDBC prepared statement with parameters, which will - in general - protect you against SQL injection.
Yes, the above code is safe from injection - it uses parameter binding.
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
