I am using the Play! framework along with Anorm to access the database. I

Question

0

Asked: June 1, 20262026-06-01T01:03:51+00:00 2026-06-01T01:03:51+00:00

I am using the Play! framework along with Anorm to access the database. I

0

I am using the Play! framework along with Anorm to access the database. I often see examples like the following where object members are injected into the SQL statement directly.

My question is, are these inputs sanitized? Most examples look like the following:

object Person {
    def save(p:Person) {
        DB.withConnection ("default") { implicit connection =>
            SQL("""
                 INSERT INTO person(firstName,lastName)
                 values ({firstName}, {lastName})
                """
               ).on(
                "firstName" -> p.firstName,
                "lastName"  -> p.lastName
            ).executeUpdate()
        }
    }
}

I will attempt to find out by way of hacking, but it’s easy to make a mistake so I thought asking was more appropriate, and I can draw on the wisdom of the crowd.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-01T01:03:52+00:00

Editorial Team

2026-06-01T01:03:52+00:00Added an answer on June 1, 2026 at 1:03 am

According to its source code, Anorm builds onlyjava.sql.PreparedStatements, which prevent such SQL injection. (see the PreparedStatement wikipedia page for a general explanation)

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using the Play! framework along with Anorm to access the database. I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply