Is this JPA query vulnerable to SQL injection?

I have a library that executes a query based on a JPA WHERE statement provided by a caller. I am executing the following JPA query:

public void executeQuery(String jpaWhereStatement) {
String queryString = "SELECT entity FROM " + MyEntity.class.getSimpleName() + " entity WHERE " + jpaWhereStatement;
}

The query parameters are still inserted using query.setParameter(), but I am worried I might be allowing a SQL injection attack. If this is vulnerable, how can I fix this cod开发者_JS百科e?

Without knowing much about the caller, it's difficult to say. It's possible there is a vulnerability there if your where statement is not generated carefully. In general, this approach looks like a bad idea to me. I would, personally, be more explicit about how you're generating that WHERE clause and always use parameters.

As a general rule, never trust any data being used to construct a SQL statement, whether it comes from the client or it comes from the DB.

As bunting pointed out(and Adam Bien as well), if you stick to parametrized queries, you should be golden. Of course if there are general vulnerabilities present in your implementation, then you could be at risk.

As a rule of thumb, when user input or input from a GET are involved, use Criteria to make sure parameters are escaped. I.E. DO NOT USE HQL.

If user input or input from get is not involved you can use HQL.

But yes, if you use setParamter() there is probably no sql injection problem.