I realise it's possible to pass in a manually constructed String to the execute(String)
which is vulnerable. However I'm interested in where you pass the parameters to the query using MapSqlParameterSource or one of the other exposed methods such as in the below examples. Digging into the source it looks like it's using a prepared statement in each of these, so I think injection is not possible. However I'm no security expert so just wanted to confirm.
Example 1:
getSimpleJdbcTemplate().queryForObject("SELECT * FROM table WHERE value = ?",
new ObjectMapper(), code);
Example 2:
getSimpleJdbcTemplate()
.update(
"insert into table "
+ "(column1, column2, column3, column4, column5) VALUES "
+ "(:column1, :column2, :column3, :column4, :column5)",
new MapSqlParameterSource().addValue("column1",
value1).addValue("column2",
value2).addValue("column3",
value3).addValue("column4",
value4).addValue("column5", value5));