Can I pass the stored procedure name as a parameter in spring jdbc? I want to ensure that there is no SQL injection as my procedure name is user input

64 Views Asked by ashu.imgud At 15 December 2023 at 18:58

I am using Spring JDBC and I want to call a stored procedure which will have only 1 String argument. My problem is that the stored procedure name is a user input.

How to avoid SQL injection while doing this?

I am using Spring Boot and the stored procedure name is a user input and I don't have a defined entity so I am not using jpa respository.

I am using Single store DB

I tried the following but it gives me SQL Injection vulnerabilities.

String callStatement = String.format("ECHO %s (?)", procedureName);
Map<String, Object> res = jdbcTemplate.queryForMap(callStatement, arg);

Original Q&A

Can I pass the stored procedure name as a parameter in spring jdbc? I want to ensure that there is no SQL injection as my procedure name is user input

There are 0 best solutions below

Related Questions in JAVA

Related Questions in SPRING-BOOT

Related Questions in STORED-PROCEDURES

Related Questions in SPRING-JDBC

Related Questions in SINGLESTORE

Trending Questions

Popular # Hahtags

Popular Questions