One route to SQL injection is allowing arbitrary parameters that can end up in a request string. Proper parameter checking can help prevent this.

Interestingly, compojure allows regex expressions when defining routes with parameters: (GET "/root/:id{[0-9]+}" [id] ...) will only match this route if the parameter matches the regular expression: in this case only numbers.

However, clojure’s jdbc interface uses java.sql “PreparedStatement”s with their set{type}() methods for parameter filling, and the setString() method will escape any SQL characters in the string. Neat!