How to avoid SQL injection when a query is coming as a parameter of a method in Java?

91 views Asked by At
public static RepositoryItem[] executeQuery(Repository repository, String query,Object[] params)
{
    RepositoryItem[] data = null;

    try {
        RepositoryView repositoryView = repository.getView(viewName);
        RqlStatement statement = RqlStatement.parseRqlStatement(query);
    }
}

The query is a parameterized query.

1

There are 1 answers

0
crowne On

Depending on which database your are using, you could define the SQL connection or DBConnectionPool using credentials of a user which has readonly access. Any statement which is unauthorized will be rejected by the DBMS.