23

I am using the Play! framework along with Anorm to access the database. I often see examples like the following where object members are injected into the SQL statement directly.

My question is, are these inputs sanitized? Most examples look like the following:

object Person {
    def save(p:Person) {
        DB.withConnection ("default") { implicit connection =>
            SQL("""
                 INSERT INTO person(firstName,lastName)
                 values ({firstName}, {lastName})
                """
               ).on(
                "firstName" -> p.firstName,
                "lastName"  -> p.lastName
            ).executeUpdate()
        }
    }
}

I will attempt to find out by way of hacking, but it's easy to make a mistake so I thought asking was more appropriate, and I can draw on the wisdom of the crowd.

i.am.michiel
  • 10,281
  • 7
  • 50
  • 86
Jacob Groundwater
  • 6,581
  • 1
  • 28
  • 42

1 Answers1

21

According to its source code, Anorm builds onlyjava.sql.PreparedStatements, which prevent such SQL injection. (see the PreparedStatement wikipedia page for a general explanation)

Emre
  • 1,023
  • 2
  • 9
  • 24
paradigmatic
  • 40,153
  • 18
  • 88
  • 147
  • Could you please update your "its source code" link to https://github.com/playframework/anorm/blob/1384c85434254da8cbd73ac5ba93bf258c04bf12/core/src/main/scala/anorm/SimpleSql.scala#L8-L19? – Kevin Meredith Jul 06 '16 at 21:21