We are using NamedParameterJdbcTemplate to achieve "IN" operator functionality. Is there any SQL Injection vulnerability when we use NamedParameterJdbcTemplate?
Asked
Active
Viewed 317 times
1 Answers
1
Since NamedParameterJdbcTemplate internally use PreparedStatement for querying , and if you can make sure that you do not build the SQL query by somehow concatenating the input from the user , but using the placeholder :xxxx to specify their value, it should prevent SQL injection as the query and the data entered by the user are sent to the DB separately.
Refer this for the details about why it can prevent SQL injection thanks to such separation.
Ken Chan
- 84,777
- 26
- 143
- 172
-
Thanks and we are using as placeholder only. – Arju Pidugu May 25 '21 at 08:44
-
@ArjuPidugu Glad to hear . So consider to accept or vote up my answer please? – Ken Chan May 25 '21 at 11:43