Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.sql-injection

Do not build JPA or JDBC queries by concatenating user-controlled input

`createQuery`, `createNativeQuery`, `JdbcTemplate` calls, and string-based `@Query` values must not stitch SQL with request data using `+`, `String.format`, or similar.

#Metadata

Rule ID
java.security.jpa-concatenated-query
Severity
critical
Confidence
0.84
Languages
java
Presets
security, strict
Stability
experimental
Applies to
block
Tags
java, jdbc, jpa, rules-catalog, security, sql-injection

#Why it matters

Dynamic SQL built from untrusted fragments is a direct injection surface; parameterized queries and named parameters are the safe default.

#Remediation

Use JPQL named parameters, `CriteriaUpdate`, or prepared JDBC statements with bound parameters; never interpolate request values into query text.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/java/java.security.jpa-concatenated-query.rule.yaml.

Back to directoryOpen rule in repository