开发者

Does Spring JDBC provide any protection from SQL injection attacks?

开发者 https://www.devze.com 2023-03-31 18:43 出处:网络
Spring\'s JdbcTemplate abstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks?

Spring's JdbcTemplate abstraction provides a lot of functionality, but can it be used in such a way that provides protection from SQL injection attacks?

For example, like the ki开发者_JS百科nd of protection you would get using PreparedStatement with properly defined parameterization.


It most certainly does. This example is straight from the Spring 3.0 docs (but is the same in 2.*):

String lastName = this.jdbcTemplate.queryForObject( 
        "select last_name from t_actor where id = ?", 
        String.class, 1212L); 

As you can see, it strongly favors prepared statements (which it must be using behind the scenes for you): you specify the parameters with placeholders (?) and supply an array of objects to fill into the parameters. (The last parameter is the type of the expected result, but that's not very relevant for this question.)

You can also use a NamedParameterJdbcTemplate and supply the parameters in a Map, which is perhaps less efficient but definitely more mnemonic.

0

精彩评论

暂无评论...
验证码 换一张
取 消