JPA Query - sql injection in positional parameters jpa native query

Question

As I read in a lot of articles, when I use JPA/Hibernate query it is good to set parameters in my queries so SQL injection is avoided. Like:

select user from User user where user.name = :name and user.surname = :surname

My problem is that in some cases I need to use native query when I create my query.

I will use my entity manager and createNativeQuery. But in this case the parameters will be positional. Like:

select * from users where user_name = ? and user_surname = ?

Then in my query I will use the method setParameter(1, "name") etc. So is this case "sql injection proof" like when in the parameterized query?

Answer 1

if you do not use string operations for building your query like

"SELECT foo FROM bar Where id="+myParameter+" more sql ..."

, then you will not have any vulnerabilities.

Answer 2

Currently (community correct me if I am wrong) no vulnerabilities exist within the latest PDO database abstraction layer.

However testing your queries for known and unknowns while sanitizing and filtering input will help eliminate the possibility of an injection in the event of a zero day exploit.

I currently use a combination of filtering input, charset expectations, stored procedures and strict requirements on their arguments prior to any and all dynamically created queries