-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSqlTaintedPersistence.java
More file actions
48 lines (44 loc) · 1.79 KB
/
SqlTaintedPersistence.java
File metadata and controls
48 lines (44 loc) · 1.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
// BAD: the category might have Java Persistence Query Language special characters in it
String category = System.getenv("ITEM_CATEGORY");
Statement statement = connection.createStatement();
String query1 = "SELECT p FROM Product p WHERE p.category LIKE '"
+ category + "' ORDER BY p.price";
Query q = entityManager.createQuery(query1);
}
{
// GOOD: use a named parameter and set its value
String category = System.getenv("ITEM_CATEGORY");
String query2 = "SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price"
Query q = entityManager.createQuery(query2);
q.setParameter("category", category);
}
{
// GOOD: use a positional parameter and set its value
String category = System.getenv("ITEM_CATEGORY");
String query3 = "SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price"
Query q = entityManager.createQuery(query3);
q.setParameter(1, category);
}
{
// GOOD: use a named query with a named parameter and set its value
@NamedQuery(
name="lookupByCategory",
query="SELECT p FROM Product p WHERE p.category LIKE :category ORDER BY p.price")
private static class NQ {}
...
String category = System.getenv("ITEM_CATEGORY");
Query namedQuery1 = entityManager.createNamedQuery("lookupByCategory");
namedQuery1.setParameter("category", category);
}
{
// GOOD: use a named query with a positional parameter and set its value
@NamedQuery(
name="lookupByCategory",
query="SELECT p FROM Product p WHERE p.category LIKE ?1 ORDER BY p.price")
private static class NQ {}
...
String category = System.getenv("ITEM_CATEGORY");
Query namedQuery2 = entityManager.createNamedQuery("lookupByCategory");
namedQuery2.setParameter(1, category);
}