Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a library that executes a query based on a JPA WHERE statement provided by a caller. I am executing the following JPA query:
public void executeQuery(String jpaWhereStatement) {
String queryString = "SELECT entity FROM " + MyEntity.class.getSimpleName() + " entity WHERE " + jpaWhereStatement;
}
The query parameters are still inserted using query.setParameter(), but I am worried I might be allowing a SQL injection attack. If this is vulnerable, how can I fix this code?
Without knowing much about the caller, it’s difficult to say. It’s possible there is a vulnerability there if your where statement is not generated carefully. In general, this approach looks like a bad idea to me. I would, personally, be more explicit about how you’re generating that WHERE clause and always use parameters.
As a general rule, never trust any data being used to construct a SQL statement, whether it comes from the client or it comes from the DB.