You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@openjpa.apache.org by chintan4181 <ch...@gmail.com> on 2011/05/25 21:51:22 UTC
JPA Parameterized query - SQL Injection
Hi,
I am not sure whether this is right forum but i have one question on
parameterized query. As per my knowledge to prevent(or minimize) SQL
Injection attack we should use parameterized query.
We are using JPA named queries which are parameterized. My question is,
since we are using parameterized query, am i safe with SQL injection or i
need to do define validation to escape special character to prevent SQL
Injection.
I have also read that most of Database vendor check escaping before
executing query.
can somebody help me to understand?
thanks
chintan
--
View this message in context: http://openjpa.208410.n2.nabble.com/JPA-Parameterized-query-SQL-Injection-tp6404249p6404249.html
Sent from the OpenJPA Users mailing list archive at Nabble.com.
Re: JPA Parameterized query - SQL Injection
Posted by Kevin Sutter <kw...@gmail.com>.
Using parameterized and/or named queries should be safe from SQL injection
attacks. SQL injection attacks can normally happen if you are performing
your own JPQL string manipulation with input from a user. The use of
parameterized input values is much safer.
Kevin
On Wed, May 25, 2011 at 2:51 PM, chintan4181 <ch...@gmail.com> wrote:
> Hi,
>
> I am not sure whether this is right forum but i have one question on
> parameterized query. As per my knowledge to prevent(or minimize) SQL
> Injection attack we should use parameterized query.
>
> We are using JPA named queries which are parameterized. My question is,
> since we are using parameterized query, am i safe with SQL injection or i
> need to do define validation to escape special character to prevent SQL
> Injection.
>
> I have also read that most of Database vendor check escaping before
> executing query.
>
> can somebody help me to understand?
>
> thanks
> chintan
>
> --
> View this message in context:
> http://openjpa.208410.n2.nabble.com/JPA-Parameterized-query-SQL-Injection-tp6404249p6404249.html
> Sent from the OpenJPA Users mailing list archive at Nabble.com.
>