0

Here is complete error :

This use of org/springframework/jdbc/core/JdbcTemplate.query
(Ljava/lang/String;Lorg/springframework/jdbc/core/RowMapper;)Ljava/util/List; 
can be vulnerable to SQL injection (with Spring JDBC)

Here is the reason/solution:

The input values included in SQL queries need to be passed in safely. 
Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Here is my query,

 StringBuilder query = new StringBuilder();
 query.append("SELECT * from Events EVNT")
      .append(" WHERE EVNT.Roll IN ( '5', '1') AND EVNTDemo.Roll is null ")
      .append(" AND date(EVNT.Updt) between ")
      .append("date('").append(getTMyDate()) .append("') AND  CURRENT DATE-10 DAY")

How can I assign "?" to my query and pass the whole where condition as an argument object. Is there any other way to Fix this SONARQUBE ISSUE

  final Object[] args = new Object[] {.....}
  result = jdbcTemplate.query(query, args, new MyMapper());

Edit 1 :

StringBuilder query = new StringBuilder();
 query.append("SELECT * from Events EVNT")
      .append(" WHERE EVNT.Roll IN ( '5', '1') AND EVNTDemo.Roll is null ")
      .append(" AND date(EVNT.Updt) between ")
      .append("date('").append("?").append("') AND  CURRENT DATE-10 DAY")

  final Object[] args = new Object[]{getTs()}; 
  result = jdbcTemplate.query(query, args, new MyMapper());

I am getting '?' appended in my query , where am I making mistake? Could anyone please point it out

Luke Woodward
  • 63,336
  • 16
  • 89
  • 104
GKr297
  • 185
  • 2
  • 16
  • 1
    The idea is not to pass the whole where clause, just not to put any string values directly into your SQL. Use a ? for the value of getTMyDate(). – tgdavies Oct 09 '20 at 12:17
  • Thanks @tgdavies, I coded as per your comment, but I am not getting my value from the function. Please have a look at my edit . – GKr297 Oct 09 '20 at 12:43

0 Answers0