Does Scala Anorm String Replacement Sanitize Inputs?
-
26-05-2021 - |
Вопрос
I am using the Play! framework along with Anorm to access the database. I often see examples like the following where object members are injected into the SQL statement directly.
My question is, are these inputs sanitized? Most examples look like the following:
object Person {
def save(p:Person) {
DB.withConnection ("default") { implicit connection =>
SQL("""
INSERT INTO person(firstName,lastName)
values ({firstName}, {lastName})
"""
).on(
"firstName" -> p.firstName,
"lastName" -> p.lastName
).executeUpdate()
}
}
}
I will attempt to find out by way of hacking, but it's easy to make a mistake so I thought asking was more appropriate, and I can draw on the wisdom of the crowd.
Решение
According to its source code, Anorm builds onlyjava.sql.PreparedStatements
, which prevent such SQL injection. (see the PreparedStatement wikipedia page for a general explanation)
Не связан с StackOverflow