openjpa-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Sutter <kwsut...@gmail.com>
Subject Re: JPA Parameterized query - SQL Injection
Date Thu, 26 May 2011 15:11:02 GMT
Using parameterized and/or named queries should be safe from SQL injection
attacks.  SQL injection attacks can normally happen if you are performing
your own JPQL string manipulation with input from a user.  The use of
parameterized input values is much safer.

Kevin

On Wed, May 25, 2011 at 2:51 PM, chintan4181 <chintan4181@gmail.com> wrote:

> Hi,
>
> I am not sure whether this is right forum but i have one question on
> parameterized query. As per my knowledge to prevent(or minimize) SQL
> Injection attack we should use parameterized query.
>
> We are using JPA named queries which are parameterized. My question is,
> since we are using parameterized query, am i safe with SQL injection or i
> need to do define validation to escape special character to prevent SQL
> Injection.
>
> I have also read that most of Database vendor check escaping before
> executing query.
>
> can somebody help me to understand?
>
> thanks
> chintan
>
> --
> View this message in context:
> http://openjpa.208410.n2.nabble.com/JPA-Parameterized-query-SQL-Injection-tp6404249p6404249.html
> Sent from the OpenJPA Users mailing list archive at Nabble.com.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message