splash_auth

SERVICIO CONECTADO
INAUGURACIÓN DE NUEVA PAGINA!
Cybersecurity

Preventing SQL and XSS Injections in RESTful APIs

Sistema IA
5 MIN READING
08 Jun 2026
Prevention of SQL and XSS Injections in RESTful APIs
========================================================

Introduction


RESTful APIs are essential for the integration of applications and cloud services, but they are also vulnerable to malicious code injection attacks, such as SQL and XSS. In this article, we will explore best practices and techniques to prevent SQL and XSS injections in RESTful APIs.

SQL injections


SQL injections occur when an attacker injects malicious SQL code into an application to access sensitive data or modify the database. Below are best practices to prevent SQL injections:

1. Using Prepared Queries



Prepared queries are a way to avoid SQL injections. Prepared queries are created with parameters separate from the SQL code, which prevents code injection.

Code example in Java (Spring Boot)
java
@Query("SELECT * FROM users WHERE name = :name")
List<User> findUserByName(@Param("name") String name);

2. Use of prepared statements



Prepared statements are similar to prepared queries, but are used for non-SELECT statements.

Code example in Java (Spring Boot)
java
@Modifiable
@Query(value = "UPDATE users SET name = :name WHERE id = :id", nativeQuery = true)
void updateUser(@Param("name") String name, @Param("id") Long id);

3. Use of ORM (Object-Relational Mapping)



ORMs like Hibernate can help prevent SQL injections by using prepared queries and prepared statements.

Code example in Java (Hibernate)
java
@Entity
public class User {
@Column(name = "name")
private String name;
}

public class DAOUser {
@PersistenceContext
private EntityManager em;

public List<User> findUsersByName(String name) {
Query query = em.createQuery("SELECT u FROM User u WHERE u.name = :name");
query.setParameter("name", name);
return query.getResultList();
}
}

4. User input validation



User input validation is crucial to preventing SQL injections. Input data must be validated to ensure that it does not contain malicious SQL code.

Code example in Java (Spring Boot)
java
@PostMapping("/users")
public ResponseEntity<User> createUser(@RequestBody @Valid User user) {
// User input validation
if (user.getName() == null || user.getName().isEmpty()) {
return ResponseEntity.badRequest().build();
}
// Create user
}

XSS injections


Cross-Site Scripting (XSS) injections occur when an attacker injects malicious code into a web application to access sensitive data or execute malicious actions. Below are best practices to prevent XSS injections:

1. Use of character escaping



Character escaping is a way to prevent XSS injections. Special characters are replaced with their HTML equivalents.

JavaScript code example
javascript
const name = "<script>alert('XSS')</script>";
const escapedName = escape(name);
console.log(escapedName); // Output: <script>alert('XSS')</script>

2. Use of escaping libraries



Escaping libraries like DOMPurify can help prevent XSS injections when escaping special characters.

JavaScript code example
javascript
const name = "<script>alert('XSS')</script>";
const escapedName = DOMPurify.sanitize(name);
console.log(escapedName); // Output: <script>alert('XSS')</script>

3. Use of Content-Security-Policy (CSP)



The CSP is a directive that allows developers to specify which code sources can run on a web page.

HTML code example
html
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdn.example.com;">

4. Use of HTTPS



Using HTTPS is crucial to prevent XSS injections. XSS attacks can be prevented by using HTTPS, which encrypts communication between the client and the server.

Code example in Apache
bash
<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/example
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.crt
SSLCertificateKeyFile /etc/ssl/private/example.key
</VirtualHost>

RESTful API architecture


RESTful API architecture is crucial to prevent SQL and XSS injections. Here is a secure RESTful API architecture:

RESTful API architecture
Representation Technical

Security Settings


Security settings are crucial to prevent SQL and XSS injections. Below are some recommended security settings:

Security configuration in Spring Boot
properties
spring.datasource.url=jdbc:mysql://localhost:3306/example
spring.datasource.username=root
spring.datasource.password=password
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.format_sql=true
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQLDialect

Security configuration in Apache
bash
<Directory /var/www/example>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>

<IfModule mod_security2.c>
SecFilterEngine On
SecFilterScanPOST On
SecFilterScanGET On
</IfModule>

Security configuration in Nginx
bash
server {
listen 80;
server_name example.com;

root /var/www/example;
index index.html index.htm index.nginx-debian.html;

location / {
try_files $uri $uri/ =404;
}

ssl_certificate /etc/ssl/certs/example.crt;
ssl_certificate_key /etc/ssl/private/example.key;
}

Conclusion


Preventing SQL and XSS injections is crucial for the security of RESTful APIs. In this article, best practices and techniques to prevent SQL and XSS injections have been presented, including the use of prepared queries, prepared statements, ORMs, user input validation, character escaping, escaping libraries, Content-Security-Policy and HTTPS. Additionally, a secure RESTful API architecture and recommended security configurations for Spring Boot, Apache, and Nginx have been introduced.