Hi!
I trying to figure out, what security methods are implimented by hibernate.
Perhaps you can help me.
Especial SQL-Injection prevention.
There are two ways to create a query, or not?
1.) SQL with integrated parameters:
Of course not SQL injection proove:
Code:
session.createQuery("from SomeClass s where s.someString = '" + someValue + "'");
2.) Bind variables/prepared Statements
Seems to be save...
http://www.jroller.com/page/larrywillia ... sting_with
Quote:
3.3 SQL Injection
With Hibernate you normally don't have to worry about SQL injection. One exception is if you are creating a HQL query dynamically from user input. To avoid problems always use bind variables:
session.createQuery("from person where person.username=:username").setParameter("username, formUsername);
So I wonder if hibernate create always prepared statements in case 2 and where is that documented.
Bye
Login
FAQ
Search