Is Spring Data JPA safe against SQL injection

Question

I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.

For instance I have object Customer. that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?

score 20 · Accepted Answer · edited Jul 12 '21 at 19:57

20

.save() is safe, only the usage of native queries is vulnerable.

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

You can make native queries safe also, if you use a parameter.

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();

edited Jul 12 '21 at 19:57

Carlos Macasaet

1,176
7
23

answered Jan 15 '17 at 12:45

jklee

2,198
2
15
25

so for instance if Customer object has field name, and it is set to be a string: Select * from Customer where name = 'test' and i use save() method, nothing wrong with table wiill happen? – Dago Jan 15 '17 at 12:55
The JDBC driver will escape this data appropriately before the query is executed; – jklee Jan 15 '17 at 13:04
The problem here is when String name = "'Cosmin' or name='Jhon'" – Cosmin Oprea Apr 27 '18 at 13:42
is CrudRepository methods like .save() .delete() is safe for sql injection ? – fatih yavuz Feb 27 '20 at 06:02
4

@jklee Do you have a reference of your argument, it seems to be hard to find it. – Dan Ortega Feb 12 '21 at 05:23

Is Spring Data JPA safe against SQL injection

1 Answers1

Linked