Are SQL injection attacks possible in JPA?

sql-injection orm jpa jpql

I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.

The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case?


It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so:

String sql = "SELECT u FROM User u WHERE id=" + id;

If you aren't doing that and are using parameterized/named queries only, then you're safe.


Yes, it is possible. It depends on the way you implement.
Have a look at Preventing injection in JPA query language.


If your JPA provider processes all input arguments to handle injection attacks then you should be covered. We do thin in EclipseLink.

As the previous poster mentioned piecing together your own JPQL or SQL (for native queries) could expose you.

I would recommend using named queries with parameters over concatenating strings to build JPQL/SQL.

Doug

Related

In maven, what is the difference between main/resources and main/config?
Rails: Difference between create and new methods in ActiveRecord?
Switch current branch in git bare repository
Can I receive a callback whenever an NSPasteboard is written to?
Objective-C: How do you access parent properties from subclasses?
Is it possible to create an HTML canvas without a DOM element?
mutable vs. immutable in Scala collections
string.c_str() deallocation necessary?
What properties does Node.js express's Error object expose?
Testing multiple activities with espresso
Knockout Filtering on Observable Array
What does this list permutations implementation in Haskell exactly do?