Fix SQL Injection (Legacy & Modern) in Spring WebFlux

Reactive environments like Spring WebFlux don't magically sanitize inputs. SQL injection (SQLi) in WebFlux usually occurs when developers bypass the R2DBC abstraction to build dynamic queries via raw string concatenation. Whether you're using DatabaseClient or custom repositories, failing to bind parameters is a critical failure that leads to full database compromise.

The Vulnerable Pattern

public Flux getInsecureUser(String username) {
    // DANGER: String concatenation in R2DBC DatabaseClient
    String query = "SELECT * FROM users WHERE username = '" + username + "'";
    return databaseClient.sql(query)
        .map((row, metadata) -> new User(row.get("id", Integer.class), row.get("username", String.class)))
        .all();
}

The Secure Implementation

The vulnerable code treats the 'username' input as part of the SQL command structure, allowing an attacker to manipulate the query logic (e.g., passing "' OR '1'='1"). The secure implementation uses 'bind()' which leverages R2DBC parameter markers. This ensures the database driver treats the input strictly as data, not executable code, effectively neutralizing SQL injection by design. For modern implementations, stick to ReactiveCrudRepository which handles parameter binding automatically.

public Flux getSecureUser(String username) {
    // FIX: Using bind variables with DatabaseClient
    return databaseClient.sql("SELECT * FROM users WHERE username = :user")
        .bind("user", username)
        .map((row, metadata) -> new User(row.get("id", Integer.class), row.get("username", String.class)))
        .all();
}
// ALTERNATIVE: Spring Data R2DBC Repository
public interface UserRepository extends ReactiveCrudRepository<User, Integer> {
@Query(“SELECT * FROM users WHERE username = :username”)
Flux findByUsername(String username);
}