JAVA Spring Boot sample about how to use parameters in SQL Prepared Statements is a good practice for performance reasons but also is good way to improve the security of your application
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



This is not a commercial tool. It was development for test purpose only so doesn't have any warranty.

Feel free to test, use and/or modify.

For more details see the LICENSE file.


Use parameters in a JAVA SQL Prepared Statement is a good practice for performance reasons but also is good way to improve the security of your application.

  • Imagine that you have the query " SELECT * FROM USER_TEST WHERE USER = " and you add the "user" parameter a the end of the statement in your code to get the user's details.
  • Imagine you expose this service with a restful end-point like: http://localhost:8080/user/info?user=User3
  • The potential problem is that someone could exploit the "bad design", replace the user parameter for http://localhost:8080/user/info?user=User3' OR 'A'='A and get all the details from all users.
  • But if you use parameters like " SELECT * FROM USER_TEST WHERE USER = ?" you can solve this security hole in your application (and, of course, improve the performance of your query)

If you found a better solution for one or more cases or you want to share your best practices with us, please, let me know and I will update this project.


  • Includes H2 in memory database (check for the configuration values). You can access to console by "/h2" end point
  • Includes a sample of controller-> service -> DAO flow
  • Includes Unit Tests using:
    • Mockito for Spring Boot 1.4 or higher
  • Tested with Spring Boot versions:
    • 1.5.4.RELEASE


GET end-point:


http://localhost:8080/user/info?user=[User Value]

GitHub repository:


Let me know if you have any problem, comment or new ideas:



Edited on: 20th June 2017