I’m building a Spring REST server application and I’m doing some native queries to retrieve data from my database. From the teaching in school, they suggest to make all queries prepared statements, to stop the user entering harmful SQL into the input boxes.
I’ve tried to do some research, but have not found a concrete answer. Does Spring use prepared statements by default? Here is a snippet of one of the queries I would like to santitise:
@Query(value = "DELETE FROM userMeds WHERE username = ?1 AND drug_id = ?2", nativeQuery = true)
void deleteByIdentity(String username, int drug_id);
If this does not use a prepared statement, how can I do so to avoid anything bad happening?
Thank you in advance
Advertisement
Answer
Prepared statement helps to avoid sql injection.
As far spring data jpa is concerned it accepts parameterized by default either xml, @NamedQuery or @Query so no need to worry about.