openjpa-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Sutter <>
Subject Re: JPA Parameterized query - SQL Injection
Date Thu, 26 May 2011 15:11:02 GMT
Using parameterized and/or named queries should be safe from SQL injection
attacks.  SQL injection attacks can normally happen if you are performing
your own JPQL string manipulation with input from a user.  The use of
parameterized input values is much safer.


On Wed, May 25, 2011 at 2:51 PM, chintan4181 <> wrote:

> Hi,
> I am not sure whether this is right forum but i have one question on
> parameterized query. As per my knowledge to prevent(or minimize) SQL
> Injection attack we should use parameterized query.
> We are using JPA named queries which are parameterized. My question is,
> since we are using parameterized query, am i safe with SQL injection or i
> need to do define validation to escape special character to prevent SQL
> Injection.
> I have also read that most of Database vendor check escaping before
> executing query.
> can somebody help me to understand?
> thanks
> chintan
> --
> View this message in context:
> Sent from the OpenJPA Users mailing list archive at

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message