Home/ Questions/Q 6931285
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T11:33:26+00:00

I am wondering how Spring MVC handles SQL injections (and other security issues: XSS,

  • 0

I am wondering how Spring MVC handles SQL injections (and other security issues: XSS, code [javascript] injection, etc). I’m talking mostly about escaping the values that are added to DBs and such. I can’t seem to find any answer because every time I search for spring sql injection results that involve dependency injection arise.

My flow is as follows: from the client browser I make a request consisting of an JSON with some query parameters (not the SQL statement, that would be too stupid – to form the SQL query in JS). When the request reaches the properly annotated method in the Controller, the request is mapped via @RequestBody using Jackson to an “request object”. Now this object is sent to the DAO, where using JDBC Template I query the db (and using RowMapper I map the results).

In the DAO I have something like:

public int countAll(RequestObject request) {
    String sql = "SELECT count(*) FROM employees WHERE name = '" + request.getName() + "'";

    JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
    int count = jdbcTemplate.queryForInt(sql);

    return count;
}

Now is this approach safe from SQL injection?
Are non-JDBCTemplate -based queries safe given that are flowing through Spring MVC?

Could we have a little discussion on this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Anytime you build a query by concatenation you are vunerlable to injection attacks

    pass your parameters correctly:

    jdbcTemplate.queryForInt(sql, args, argTypes)

    for example:

            JdbcTemplate insert = new JdbcTemplate(dataSource);
    insert.update("INSERT INTO PERSON (FIRSTNAME, LASTNAME) VALUES(?,?)",
            new Object[] { firstName, lastName });
    • 0