I have tested @bind annotation with some SQL Injection attempts and seems like the input is sanitized. For bind method, I am not sure whether it's also true.
Can someone confirm whether my guess is correct with some reference? I cannot find anything from the documentation. Thanks.
Here is an examples for using bind annotation.
@SqlQuery("SELECT count(*)\n" +
"FROM member_preference_value WHERE member_id = :memberId and preference_id=:preferenceId")
int hasUserSetPreference(@Bind("preferenceId") Integer preferenceId,@Bind("memberId") String memberId) throws Exception;
Here is an example for using bind method.
Update update = handle.createStatement(sqlQuery)
.bind("bookmark_id", savedSearch.getBookmarkId())
Both of your examples internally using JDBI parameters binding mechanism which eventually boils down to standard JDBC PreparedStatement setXxx() family of methods.
You can confirm that yourself by tracing JDBI source code from bind method to StringArgument or similar classes where SQL query params binding is implemented for every type.
So it's no more dangerous to use JDBI bind than to use plain JDBC PreparedStatement with setString/setInt/setXxx methods.