You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is no built-in support for java.sql.Statement enquoteIdentifer, enquoteLiteral, or enquoteNCharLiteral. They should be defined as SQL_INJECTION_SAFE:
why SQL_INJECTION_SAFE?
It's highlighting the risk of SQL injection due to the lack of built-in escaping mechanisms.
The annotations don't magically make custom escaping methods safe.
consider switching to Prepared Statements as this is the recommended and most secure approach. Prepared statements separate data from the SQL query, and the database handles escaping, mitigating injection risks.
That said, these also aren't custom escaping methods. They are escaping methods implemented either by the JDBC driver or by Java (if the driver hasn't overridden the default implementation).
We are using PreparedStatements to the degree allowed. So values are always supplied via bind variables, but column names are escaped using the appropriate method.
There is no built-in support for java.sql.Statement enquoteIdentifer, enquoteLiteral, or enquoteNCharLiteral. They should be defined as SQL_INJECTION_SAFE:
The text was updated successfully, but these errors were encountered: