JPL: is javax.persistence.Query.setParameter sql-injection safe?
-
08-06-2021 - |
質問
Can I sql-inject jpl parameter set by setParameter? I mean, I know I can do it if I have something like this:
String nm = "'anything' or 'x'='x'--";
Query m = em.createQuery("SELECT p FROM Tbl p WHERE UPPER(p.name) = '" + nm + "'");
Can I do a similar thing with something like this?:
String nm = "'anything' or 'x'='x'--";
Query m = em.createQuery("SELECT p FROM Tbl p WHERE UPPER(p.name) = :param").setParameter("param", nm.toUpperCase());
解決
It seems that it is sql-injection safe. I looked in sql queries log: potentially dangerous symbols are escaped in the resulting sql
所属していません StackOverflow