3

For example, if I have code like what is featured below to add a new user, is it vulnerable to SQL injection? The user object has been created from user input (i.e. name, email, password). I've used parameterized queries for my getUser method but I wasn't sure about merge and persist.

public static void addUser(User user) {

    EntityManager em = DBUtil.getEmFactory().createEntityManager();
    EntityTransaction trans = em.getTransaction();
    trans.begin();        
    try {
        em.persist(user);
        trans.commit();
    } catch (Exception e) {
        System.out.println(e);
        trans.rollback();
    } finally {
        em.close();
    }
}
1
  • 1
    JDBC uses parameters to inhibit that. So a JPA implementation is no more prone to it as a JDBC application. Nov 15, 2015 at 5:28

0

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Browse other questions tagged or ask your own question.