Are SQL injection attacks possible in JPA?

Question

I\'m building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.

The back-end is MySQL, but I have used the

Answer 1

If your JPA provider processes all input arguments to handle injection attacks then you should be covered. We do thin in EclipseLink.

As the previous poster mentioned piecing together your own JPQL or SQL (for native queries) could expose you.

I would recommend using named queries with parameters over concatenating strings to build JPQL/SQL.

Doug