Is the @Query annotation in spring SQL Injection safe?

java spring sql-injection spring-annotations
Usman Mutawakil picture Usman Mutawakil · Jan 20, 2015 · Viewed 19k times · Source

Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?

final String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";

@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);

Bottom Line: Is the code above susceptible to SQL injection?

Answer

Alex picture Alex · Jan 20, 2015

It looks like Spring Data's @Query is just a wrapper around JPA

See this SO answer: Are SQL injection attacks possible in JPA?

Related questions

What's the difference between @Component, @Repository & @Service annotations in Spring?

Can @Component, @Repository and @Service annotations be used interchangeably in Spring or do they provide any particular functionality besides acting as a notation device? In other words, if I have a Service class and I change the annotation from @Service …

Read More
How to configure port for a Spring Boot application

How do I configure the TCP/IP port listened on by a Spring Boot application, so it does not use the default port of 8080.

Read More
How can I inject a property value into a Spring Bean which was configured using annotations?

I have a bunch of Spring beans which are picked up from the classpath via annotations, e.g. @Repository("personDao") public class PersonDaoImpl extends AbstractDaoImpl implements PersonDao { // Implementation omitted } In the Spring XML file, there's a PropertyPlaceholderConfigurer defined: <bean …

Read More