Hello,

Is it possible to inject malicious SQL into objects, and have Hibernate execute this when updating/inserting/selecting from DB?

Example:
If I have an object Foo and allow the user to edit Foo properties (think web app with HTML form for editing), could a user set one of the properties to, for example, "DROP TABLE xxx;", and cause Hibernate to execute that and drop table 'xxx'?

This is a trivial example, but please consider all kinds of escape sequences that a smart and evil user could come up with, to let that SQL get to the point where it would get executed.

Does Hibernate do anything to prevent this?
Does it try to analyze the input to make sure it is not SQL?
Does it do something (what?) to make sure that even if SQL is entered and is smartly escaped, it does not get executed?

Thank you.
P.S.
Hibernate 2.1.1 on PostgreSQL, but that is irrelevant for my questions.

Hibernate uses properties as prepared statements parameters and postgresql driver escapes string parameters.
There is no problems if you do not use dynamic queries and string manipulation yourself (It is possible to execute multiple statements separated by semicolon on some postgresql versions).

Use bind variables.

Instead of session.find("from blah where blah.name='" + namevar "');

do something more on the lines of --> session.find("from blah where blah.name=?);
i.e. or