Spring数据JPA对SQL注入安全吗?

时间:2021-08-17 13:02:19

I am trying to find information about Spring Security JPA and if methods like .save() are protected from sql injection.

我正在尝试查找有关Spring Security JPA的信息,以及.save()之类的方法是否受到sql注入的保护。

For instance I have object Customer. that I want to persist to my database. I am using CustomerRepository Spring implementation to operate on that entity. Customer's constructor is using parameters from the user. When everything is staged I am invoking .save(). Is this safe against sql injection or Should I do the check up first?

例如,我有对象客户。我想要保存到我的数据库。我正在使用repository Spring实现对该实体进行操作。客户的构造函数使用来自用户的参数。当所有事情都被安排好时,我就调用。save()。这对sql注入安全吗?还是应该先检查一下?

1 个解决方案

#1


2  

.save() is safe, only the usage of native queries is vulnerable.

.save()是安全的,只有本机查询的使用是脆弱的。

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

You can safe native queries also, if you use parameter.

如果使用参数,也可以安全地查询本机查询。

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();

#1


2  

.save() is safe, only the usage of native queries is vulnerable.

.save()是安全的,只有本机查询的使用是脆弱的。

List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();

You can safe native queries also, if you use parameter.

如果使用参数,也可以安全地查询本机查询。

Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();