Is a select query made by a java driver accessor vulnerable to injection?
Some like
@Query("SELECT * FROM table WHERE id = :id")
Result<Entity> byId(@Param("id") String id);
Asked
Active
Viewed 971 times
0
Leonardo Riego
- 3
- 2
-
https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks – Héctor Nov 06 '17 at 15:59
1 Answers
2
No, This syntax does not perform string replacement. It actually binds the value into a parameter slot. This means a malicious request would simply be treated as the id within a bound statement.
RussS
- 16,476
- 1
- 34
- 62