The code you've posted is safe, as the class Class
is final and can't be extended and is inexorably tied to the class it represents which means you won't be able to pass it a fake class where getName()
returns a custom string, furthermore you cannot have a class name which includes the punctuation necessary to use SQL injection. e.g., this is impossible:
class ' or '1'='1; DROP TABLE USERS; --