Greetings,

I've successfully used hibernate on a few projects, and well, it's almost about to happen again. Thanks for the great work (and making my life easier), you already know how great hibernate is, so I won't say it again! :)

My current client has a very strict security review for all applications before they go into production. We deal with googles of financial information, so the scrutiny is a good thing. I need to explain why using hibernate doesn't introduce any unusual security concerns. I've done a few searches, both here and the net at large, and can't find any discussion on the topic.

The specific concern is SQL Injection (see http://www.securiteam.com/securityrevie ... 1P76E.html for more detail). Assuming that the web application doesn't do any validation whatsoever and thus, accepts any input. The input may contain sql commands which tinker in unorthodox ways.

Here's my take on it: It seems that hibernate uses prepared statements for all database access (is this true?). Generally speaking, prepared statements are precompiled, and their structure can't be changed by the parameters being set.

Is that it? Does that cover it? Is there anything more to make a more convincing argument? Am I missing something altogether?

Kindest regards,
Christian

PS: We are using hibernate 2.1.6 against a MS SQL Server 2000 database.

Yup, that covers it perfactly.

(Of course, you have to make sure you use HQL parameters, instead of HQL string manipulation for queries.)

We always use HQL parameters or build queries by the criteria api... so I think we're safe. Not to mention validate inputs meticulously.

Thanks for the speedy response!
Christian