GuardAPI Logo
GuardAPI

Fix SQL Injection (Legacy & Modern) in Quarkus

Quarkus might be 'Supersonic Subatomic', but it's still vulnerable to classic SQLi if you treat queries like raw strings. Whether you are using Hibernate ORM with JPQL or raw JDBC via Agroal, concatenating user input into your persistence layer is a one-way ticket to a full database dump. Stop being a script kiddie's favorite target by sanitizing your data layer properly.

The Vulnerable Pattern

@GET
@Path("/user/{username}")
public User getVulnerable(@PathParam("username") String username) {
    // DANGER: String concatenation in JPQL/HQL leads to SQLi
    String q = "SELECT u FROM User u WHERE u.username = '" + username + "'";
    return entityManager.createQuery(q, User.class).getSingleResult();
}

// Legacy JDBC version
public void deleteUser(String id) throws SQLException {
Connection conn = dataSource.getConnection();
Statement st = conn.createStatement();
st.executeUpdate(“DELETE FROM users WHERE id = ’” + id + ”’”);
}

The Secure Implementation

The vulnerability stems from the 'vulnerable_code' treating user input as part of the SQL command structure. By passing 'admin' OR '1'='1', an attacker can manipulate the query logic. The 'secure_code' utilizes Parameterized Queries (Bound Parameters). This forces the database engine to compile the query schema first and treat the user input strictly as data, never as executable code. Quarkus's Panache extension simplifies this by automatically handling parameter binding under the hood when using its .find() or .list() methods.

@GET
@Path("/user/{username}")
public User getSecure(@PathParam("username") String username) {
    // MODERN: Using Panache (Built-in parameterization)
    return User.find("username", username).firstResult();
}

// ALTERNATIVE: Named Parameters in EntityManager
public User getSecureJPQL(String username) {
return entityManager.createQuery(“SELECT u FROM User u WHERE u.username = :name”, User.class)
.setParameter(“name”, username)
.getSingleResult();
}


// LEGACY FIX: PreparedStatements
public void deleteUserSecure(String id) throws SQLException {
try (Connection conn = dataSource.getConnection();
PreparedStatement ps = conn.prepareStatement(“DELETE FROM users WHERE id = ?”)) {
ps.setString(1, id);
ps.executeUpdate();
}
}

System Alert • ID: 8750
Target: Quarkus API
Potential Vulnerability

Your Quarkus API might be exposed to SQL Injection (Legacy & Modern)

74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X