TechQA.

Can I pass the stored procedure name as a parameter in spring jdbc? I want to ensure that there is no SQL injection as my procedure name is user input

64 views Asked by At

I am using Spring JDBC and I want to call a stored procedure which will have only 1 String argument. My problem is that the stored procedure name is a user input.

How to avoid SQL injection while doing this?

I am using Spring Boot and the stored procedure name is a user input and I don't have a defined entity so I am not using jpa respository.

I am using Single store DB

I tried the following but it gives me SQL Injection vulnerabilities.

String callStatement = String.format("ECHO %s (?)", procedureName);
Map<String, Object> res = jdbcTemplate.queryForMap(callStatement, arg);
java spring-boot stored-procedures spring-jdbc singlestore
Original Q&A
0

There are 0 answers

Related Questions in JAVA

Related Questions in SPRING-BOOT

Related Questions in STORED-PROCEDURES

Related Questions in SPRING-JDBC

Related Questions in SINGLESTORE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions