Spring boot: Repository interface sql injection protection

Question

I have a Repository Interface in my Spring Boot application, as you can see below.

@Repository
public interface CounterRepository extends JpaRepository<Counter, String> {
    Counter findByMediaName(String mediaName);
}

There is no implementation of this interface. It's just Spring Boot magic. I'm wondering if there is a SQL Injection risk for mediaName parameter? I'm using Spring Boot 2.2.6.RELEASE

zlaval · Accepted Answer · 2020-06-17T07:22:32.643

2

No, there isn't. It will create a Criteria api query (in a right way), which will escape parameters. It's like when you use prepared statements.

edited Jun 17 '20 at 07:22

answered Jun 17 '20 at 00:31

zlaval

1,941
1
10
11

0gam · Answer 2 · 2020-06-18T00:57:53.810

1

This is a common misconception. JPA and other ORMs relieves us from creating hand-coded SQL statements, but they won't prevent us from writing vulnerable code. enter link description here

How to How to Fix SQL Injection using the Java Persistence API (JPA)

SQL injection: when a prepared statement is not enough

Nowhere in the JSR-338 (JPA 2.1) is stated about preparation or caching of queries or results, whether named or not. It's all up to the provider, which generally takes the best effort.

Query Parameters in JPA

edited Jun 18 '20 at 00:57

answered Jun 17 '20 at 00:48

0gam

1,343
1
9
21

This is right, but he asked the interface querys. It will prevent this kind of programmer failure. Anyway it is a useful aritcle. – zlaval Jun 17 '20 at 07:21
Yes, Thanks for comment. – 0gam Jun 18 '20 at 00:58

Spring boot: Repository interface sql injection protection

2 Answers2