Is the SimpleJdbcTemplate in Spring safe from SQL Injection?
I realise it's possible to pass in a manually constructed String to the execute(String)
which is vulnerable. However I'm interested in where you pass the parameters to the query using MapSqlParameterSource or one of the other exposed methods such as in the below examples. Digging into the source it looks like it's using a prepared statement in each of these, so I think injection is not possible. However I'm no security expert so just wanted to confirm.
Example 1:
getSimpleJdbcTemplate().queryForObject("SELECT * FROM table WHERE value = ?",
new ObjectMapper(), code);
Example 2:
getSimpleJdbcTemplate()
.update(
"insert into table "
+ "(column1, column2, column3, column4, column5) VALUES "
+ "(:column1, :column2, :column3, :column4, :column5)",
new MapSqlParameterSource().addValue("column1",
value1).addValue("column2",
value2).addValue("column3",
value3).addValue("column4",
开发者_如何学Python value4).addValue("column5", value5));
Yes, the above code is safe from injection - it uses parameter binding.
精彩评论