Is NamedParameterJdbcTemplate vulnerable safe?

Question

We are using NamedParameterJdbcTemplate to achieve “IN” operator functionality. Is there any SQL Injection vulnerability when we use NamedParameterJdbcTemplate?

Answer

Since NamedParameterJdbcTemplate internally use PreparedStatement for querying , and if you can make sure that you do not build the SQL query by somehow concatenating the input from the user , but using the placeholder :xxxx to specify their value, it should prevent SQL injection as the query and the data entered by the user are sent to the DB separately.

Refer this for the details about why it can prevent SQL injection thanks to such separation.

Accepted Answer

Since NamedParameterJdbcTemplate internally use PreparedStatement for querying , and if you can make sure that you do not build the SQL query by somehow  concatenating the input from the user , but using the  placeholder :xxxx to specify their value, it should prevent SQL injection as the query and the data entered by the user are sent to the DB separately.Refer this for the details about why it can prevent SQL injection thanks to such separation.

Advertisement

Answer