stackoom
  简体   繁体   中英

Native sql query- SQL Injection Attack

 原文  2014-09-03 08:59:59       java/ security/ jpa

Question

I'm working with JPA. How could my application be SQL injection safe if I'm using a native sql query (not entity query)? I need to build the native sql query with the data submitted by a user from a html form.

If I use parameters in the native sql I can avoid SQL injection attacks, but my problem is that I can't be sure how many data fields are being submitted by the user.

1 answers

solution1
 4 ACCPTED  2014-09-03 13:30:45

You should use positional parameters binding: 

String queryString = "select * from EMP e where e.name = ?1";
Query query = em.createNativeQuery(queryString, Employee.class);
query.setParameter(1, "Mickey");

Please note that you should not use named parameters binding ( :empName ) in your query as JPA Spec says

Only positional parameter binding may be portably used for native queries.

This should secure you from SQL Injection attacks.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL injection Attack in Java Does a private query method increase SQL injection attack risk? how to prevent sql injection attack in android? Are my sql jdbc methods safe from sql injection attack? Is SQL injection possible with this query? How to prevent SQL injection in native insert query with JPA? Ways to prevent SQL Injection Attack & XSS in Java Web Application How can I modify the code to avoid SQL-injection attack? Is this JPA query vulnerable to SQL injection? Securing a static SQL query from SQL Injection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM