JPL: is javax.persistence.Query.setParameter sql-injection safe?

Question

Can I sql-inject jpl parameter set by setParameter? I mean, I know I can do it if I have something like this:

String nm = "'anything' or 'x'='x'--";
Query m = em.createQuery("SELECT p FROM Tbl p WHERE UPPER(p.name) = '" + nm + "'");

Can I do a similar thing with something like this?:

String nm = "'anything' or 'x'='x'--";
   Query m = em.createQuery("SELECT p FROM Tbl p WHERE UPPER(p.name) = :param").setParameter("param", nm.toUpperCase());

score 1 · Accepted Answer · answered May 21 '12 at 06:17

1

It seems that it is sql-injection safe. I looked in sql queries log: potentially dangerous symbols are escaped in the resulting sql

answered May 21 '12 at 06:17

HtonS

301
4
18

JPL: is javax.persistence.Query.setParameter sql-injection safe?

1 Answers1