5

As I read in a lot of articles, when I use JPA/Hibernate query it is good to set parameters in my queries so SQL injection is avoided. Like: 

select user from User user where user.name = :name and user.surname = :surname

My problem is that in some cases I need to use native query when I create my query.

I will use my entity manager and createNativeQuery. But in this case the parameters will be positional. Like:

select * from users where user_name = ? and user_surname = ?

Then in my query I will use the method setParameter(1, "name") etc. So is this case "sql injection proof" like when in the parameterized query?

Improve this question
1
  • 1
    Yes, it will correctly escape the parameters when using the setParameter method so that it is only used as data. The injection vulnerabilities arise when building the strings yourself using user supplied parameters and not escaping properly. Commented Apr 6, 2012 at 19:33

2 Answers 2

Reset to default
4

if you do not use string operations for building your query like 

"SELECT foo FROM bar Where id="+myParameter+" more sql ..."

, then you will not have any vulnerabilities.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Currently (community correct me if I am wrong) no vulnerabilities exist within the latest PDO database abstraction layer.

However testing your queries for known and unknowns while sanitizing and filtering input will help eliminate the possibility of an injection in the event of a zero day exploit.

I currently use a combination of filtering input, charset expectations, stored procedures and strict requirements on their arguments prior to any and all dynamically created queries

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.