1

Good Afternoon

I believe the usage of org.springframework.data.jpa.repository.Query in combination with org.springframework.data.repository.query.Param prevents a SQL injection above these parameters.
For example:

@Query("DELETE User c WHERE c.issuer = :issuer AND c.subject = :subject")
    void deleteByIssSub(@Param("issuer") String issuer, @Param("subject") String subject);

should be secure. Please correct me, if I am wrong.

Now I'm looking for documentation, which describes, that the usages of @Param in combination with @Query prevent SQL injection (throw string escaping). But I don't find this documentation.

Am I wrong?

T

Improve this question

1 Answer 1

Reset to default
1

Does this help? How to prevent SQL Injection with JPA and Hibernate?

By default

when you are using arguments ( =: )

and

when you are setting parameters ( .setParameter("issuer", issuer) )

in your code reduces changes of SQL injection to 0, because you are building a query through your code, you are not allowing a user to send any query to the database in altered form, the only thing that he can send are arguments, and only expected arguments.

https://mkyong.com/hibernate/hibernate-parameter-binding-examples/

As long you avoid building dynamic queries with String concatenation you will be safe, but if you really need to use dynamic queries, you need to use Criteria API instead.

EDIT: No one can guarantee that for you because and I quote From the OWASP page: "Hibernate does not grant immunity to SQL Injection, one can misuse the API as they please." So no one will say that it is 100% bulletproof because people can code and use API as it was not supposed to be used or designed. https://owasp.org/www-community/Hibernate#Security_Implications

Who is OWASP? The OWASP® Foundation works to improve the security of software through its community-led open-source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

No matter how much a car might be safe, the manufacturer will never say "our car is uncrashable", they will just state that it is really safe. The same goes for security. Nothing is 100% safe with the human factor involved.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you, but this isn't what I'm looking for. I'm looking for a documentation or an API, where I can see that @ Query and @ Param is safe to use. Something like a proof. Not just a answer in a forum or a reference to the similar setParameter method... I found the documentation saying, that setParameter is save: baeldung.com/sql-injection#1parameterized-queries
I will update my answer just to provide you more info of why you cannot find any proof in the docs. Also, Baeldung is not documentation, it is a site where programmers with a green light from moderators post their examples in exchange for cash.
Okay thank you. I understand your point. I was thinking that something like this must be the reason for the missing information. I don't need a promise, that everything is safe, but I would have a good feeling, when I find a point, where somebody wrote that they know the issue of SQL Injection and they build in some mechanisms to prevent it. Otherwise I would think the author doesn't care about SQL Injection and passes that responsibility to the programmer, who uses the library.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.