I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.
我正在尝试查找有关Spring Security JPA的信息,以及.save()之类的方法是否受到sql注入的保护。
For instance I have object Customer. that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?
例如,我有对象客户。我想要保存到我的数据库。我正在使用repository Spring实现对该实体进行操作。客户的构造函数使用来自用户的参数。当所有事情都被安排好时,我就调用。save()。这对sql注入安全吗?还是应该先检查一下?
1 个解决方案
#1
2
.save() is safe, only the usage of native queries is vulnerable.
.save()是安全的,只有本机查询的使用是脆弱的。
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
You can safe native queries also, if you use parameter.
如果使用参数,也可以安全地查询本机查询。
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
#1
2
.save() is safe, only the usage of native queries is vulnerable.
.save()是安全的,只有本机查询的使用是脆弱的。
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
You can safe native queries also, if you use parameter.
如果使用参数,也可以安全地查询本机查询。
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();