问题描述
我正在尝试查找有关Spring Security JPA的信息,以及是否保护诸如 .save()
之类的方法免于sql注入.
I am trying to find information about Spring Security JPA and if methods like .save()
are protected from sql injection.
例如,我有对象 Customer.
,我想将其持久化到数据库中.我正在使用CustomerRepository Spring实现在该实体上进行操作.客户的构造函数正在使用用户的参数.当一切准备就绪时,我正在调用 .save()
.这样可以防止sql注入吗?还是我应该先进行检查?
For instance I have object Customer.
that I want to persist to my database.I am using CustomerRepository Spring implementation to operate on that entity.Customer's constructor is using parameters from the user. When everything is staged I am invoking .save()
. Is this safe against sql injection or Should I do the check up first?
推荐答案
.save()
是安全的,只有使用本机查询时才容易受到攻击.
.save()
is safe, only the usage of native queries is vulnerable.
List results = entityManager.createNativeQuery("Select * from Customer where name = " + name).getResultList();
如果使用参数,也可以保护本机查询.
You can safe native queries also, if you use parameter.
Query sqlQuery = entityManager.createNativeQuery("Select * from Customer where name = ?", Customer.class);
List results = sqlQuery.setParameter(1, "John Doe").getResultList();
这篇关于Spring Data JPA是否可以防止SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!