Hi,

I would like to know, Is there a way to prevent SQl injection by setting some properties  in datanucleus / JDO side.

We are heavily using JDO in our product , Our Security team saying that Product is Vulnerable by SQL Injection Attack, we are try to address this issues, It ends with modify the prepared statement before sending the query to objstore.query() , But looking for an alternate option, we are not sure by converting prepared statement will cover all possible use cases . Other concern converting prepared statement may ends with performance impact.

Thanks.

DataNucleus USES PreparedStatements! The generated SQL passed into PreparedStatements is formed from your JDOQL and your JDOQL parameters.

Only your security team can define where they think there is a problem, by giving examples of your JDOQL and why they think that is a problem. Define examples so there is basis for comment