Spring Data JPA是否可以防止SQL注入 [英] Is Spring Data JPA safe against SQL injection

问题描述

我正在尝试查找有关Spring Security JPA的信息，以及是否保护诸如 .save()之类的方法免于sql注入.

I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.

例如，我有对象 Customer.，我想将其持久化到数据库中.我正在使用CustomerRepository Spring实现在该实体上进行操作.客户的构造函数正在使用用户的参数.当一切准备就绪时，我正在调用 .save().这样可以防止sql注入吗?还是我应该先进行检查?

For instance I have object Customer. that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?

推荐答案

.save()是安全的，只有使用本机查询时才容易受到攻击.

.save() is safe, only the usage of native queries is vulnerable.

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

如果使用参数，也可以保护本机查询.

You can safe native queries also, if you use parameter.

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();

这篇关于Spring Data JPA是否可以防止SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！