Using parameterized and/or named queries should be safe from SQL injection attacks. SQL injection attacks can normally happen if you are performing your own JPQL string manipulation with input from a user. The use of parameterized input values is much safer.
Kevin On Wed, May 25, 2011 at 2:51 PM, chintan4181 <[email protected]> wrote: > Hi, > > I am not sure whether this is right forum but i have one question on > parameterized query. As per my knowledge to prevent(or minimize) SQL > Injection attack we should use parameterized query. > > We are using JPA named queries which are parameterized. My question is, > since we are using parameterized query, am i safe with SQL injection or i > need to do define validation to escape special character to prevent SQL > Injection. > > I have also read that most of Database vendor check escaping before > executing query. > > can somebody help me to understand? > > thanks > chintan > > -- > View this message in context: > http://openjpa.208410.n2.nabble.com/JPA-Parameterized-query-SQL-Injection-tp6404249p6404249.html > Sent from the OpenJPA Users mailing list archive at Nabble.com. >
