The entity attempting to be parsed is directly related to the database, and therefore, unexpected fields may be accessed by outside users. Instead, pass the object as a JSON string, and only assign the required fields. This isn't necessarily an issue, but it could be in the future. Therefore, it seemed appropriate to handle this issue here.
Moreover, this solves the Critical SQL injection vulnerability found with ZAP. An attack like gary.teek2@venus.com AND 1=1 -- would just set a weird username, instead of accessing a component of the database
The entity attempting to be parsed is directly related to the database, and therefore, unexpected fields may be accessed by outside users. Instead, pass the object as a JSON string, and only assign the required fields. This isn't necessarily an issue, but it could be in the future. Therefore, it seemed appropriate to handle this issue here.