JPA中是否可能进行SQL注入攻击? [英] Are SQL injection attacks possible in JPA?

问题描述

我正在使用Java EE 6和JSF-2.0构建Java Web应用程序，并对所有数据库操作使用持久性API.

I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.

后端是MySQL，但是我已将EJB-QL中的EntityManager函数和命名查询用于所有操作.在这种情况下可以进行SQL注入攻击吗?

The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case?

推荐答案

仅当您在SQL/JPQL字符串中内联用户控制的变量时，才有可能:

It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so:

String sql = "SELECT u FROM User u WHERE id=" + id;

如果您不这样做，而仅使用参数化/命名查询，那么您会很安全.

If you aren't doing that and are using parameterized/named queries only, then you're safe.

这篇关于JPA中是否可能进行SQL注入攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！