I want to add auto complete to search in my app. For this feature i used NamedQuery("userSuggest"). In JpaRepository I define a method("userSuggest") with one parameter. Here is my code:
@Entity
@NamedQueries({
@NamedQuery(name = "User.userSuggest", query = "select u from User u where u.userName like :userName") })
public class User implements java.io.Serializable {
private Integer userId;
private String userName;
setter and getter ...
}
and
@Repository("userRepository")
public interface UserRepository extends JpaRepository<User, Integer> {
List<Gene> userSuggest(@Param("userName") String userName);
}
I call this method by pass user input data + percent sign as parameter:
userRepository.userSuggest(userInpoutData + "%");
Now Problem: when user pass "%" (userInpoutData="%") the method return all existing user in database. How can I prevent this SQL injection? I know that using entityManager.createNamedQuery(like How To Fix SQL Injection: JPA) solve this problem but i don't know how to use it with Spring JpaRepository. Thanks.
This is not SQL injection. It is because of this:
userRepository.userSuggest(userInpoutData + "%");
So you get:
%%
Try this:
if (!userInpoutData.isEmpty() && !userInpoutData.equals("%") {
userRepository.userSuggest(userInpoutData + "%");
}