Hibernate Community • View topic - verify

View unanswered posts | View active topics

Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]

verify - no SQL Injection attacks

Page 1 of 1

[ 4 posts ]

Previous topic | Next topic

Author

Message

david@windward.net

Post subject: verify - no SQL Injection attacks

Posted: Thu Jul 28, 2005 7:08 pm

Beginner

Joined: Thu Jul 28, 2005 6:40 pm
Posts: 29

Hi;

I'm 99.9% certain this question is not necessary - but when it comes to security I prefer to be 1000% sure.

All of Hibernate is written so sql injection attacks won't work - correct?

thanks - dave

Top

Nebob

Post subject:

Posted: Thu Jul 28, 2005 9:21 pm

Senior

Joined: Thu May 12, 2005 11:40 pm
Posts: 125
Location: Canada

Yeah. Hibernate uses PreparedStatements.

Top

eagle79

Post subject:

Posted: Thu Jul 28, 2005 11:17 pm

Senior

Joined: Tue Jun 21, 2005 10:18 am
Posts: 135
Location: South Carolina, USA

Injection attacks are still possible, I think, if you're not careful. Consider the following:

Code:

hqlText = "from SomeClass s where s.someString = '" + someValue + "'";

This is HQL, but it's still vulnerable, I think... of course, this is bad style anyway. It should be:

Code:

hqlText = "from SomeClass s where s.someString = ?";

Top

david@windward.net

Post subject:

Posted: Thu Jul 28, 2005 11:24 pm

Beginner

Joined: Thu Jul 28, 2005 6:40 pm
Posts: 29

Hi;

Yes, by definition that is open. (It's amazing to me that there are people still coding that way.)

thanks - dave

Top

Page 1 of 1

[ 4 posts ]

Board index » Hibernate & Java Persistence » Hibernate Users

All times are UTC - 5 hours [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum