EJB3 SQL Injection

Question

I would like to know how safe is EJB3 to prevent SQL Injection.
I've read that using prepared statements is quite safe, but for instance with a function like this

@Override
public Collection<Project> searchProjectsPerProfessorLastname(String lastname) {
    Query q = manager.createQuery("SELECT DISTINCT OBJECT(p) FROM Project p JOIN p.professors prof WHERE lower(prof.lastName) = ?1");
    q.setParameter(1, lastname.toLowerCase());
    @SuppressWarnings("unchecked")
    Collection<Project> c = q.getResultList();
    if(c.size()==0)
       return null;
    return c;
}

it is possible to perform SQL Injection?

Answer 1

No.

Simply put, as long as you're not building the SQL dynamically (and binding is not building SQL), there's no risk of SQL injection. Barring a buggy SQL driver.

Binding is the technique of assigning parameters to SQL statements via the driver rather than through simply building up SQL text yourself.

Different drivers do different things, but the reason that SQL injection happens is that people creating the SQL text do not take the proper precautions to prevent SQL injection (notably escaping special characters alike quotes and such).

Ideally, the driver will take care to build the SQL properly. But if the driver is buggy in some way, there's still some risk. I, personally, have not encountered a driver had a bug that affected this. So, while it's possible, it's really, really remote.

Finally, for you example, you're not even using SQL, you're using EQL, which is the JPA query language. This has to be translated yet again from EQL to SQL, which gives more opportunity for the intervening software (JPA and the JDBC driver) opportunity to prevent a SQL injection from happening.

Answer 2

All the parametized query forms of JPA calls are considered safe against SQL injection. You can however, create a query string with concatenation, which would be unsafe.