Spring (MVC) SQL injection avoidance?

Question

I am wondering how Spring MVC handles SQL injections (and other security issues: XSS, code [javascript] injection, etc). I'm talking mostly about escaping the values that are added to DBs and such. I can't seem to find any answer because every time I search for spring sql injection results that involve dependency injection arise.

My flow is as follows: from the client browser I make a request consisting of an JSON with some query parameters (not the SQL statement, that would be too stupid - to form the SQL query in JS). When the request reaches the properly annotated method in the Controller, the request is mapped via @RequestBody using Jackson to an "request object". Now this object is sent to the DAO, where using JDBC Template I query the db (and using RowMapper I map the results).

In the DAO I have something like:

public int countAll(RequestObject request) {
    String sql = "SELECT count(*) FROM employees WHERE name = '" + request.getName() + "'";

    JdbcTemplate jdbcTemplate = new JdbcTemplate(dataSource);
    int count = jdbcTemplate.queryForInt(sql);

    return count;
}

Now is this approach safe from SQL injection? Are non-JDBCTemplate -based queries safe given that are flowing through Spring MVC?

Could we have a little discussion on this?

Answer 1

Anytime you build a query by concatenation you are vunerlable to injection attacks

pass your parameters correctly:

jdbcTemplate.queryForInt(sql, args, argTypes)

for example:

        JdbcTemplate insert = new JdbcTemplate(dataSource);
    insert.update("INSERT INTO PERSON (FIRSTNAME, LASTNAME) VALUES(?,?)",
            new Object[] { firstName, lastName });