These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

View unanswered posts | View active topics


Board index » Hibernate & Java Persistence » NHibernate Users

All times are UTC - 5 hours [ DST ]


Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 6 posts ] 
  Previous topic | Next topic 
Author Message
gcook1@shaw.ca
 Post subject: SQL Injection Protection
PostPosted: Wed Jul 05, 2006 9:42 am 
Regular
Regular

Joined: Tue Feb 07, 2006 4:27 pm
Posts: 69
Hi,

I've read many articles that suggest all access to a DB should be through stored procedures in order to better secure your data from SQL Injection attacks etc.

I disagree this this and really enjoy the performance gains tools like NHibernate give you.

I would like to know what measures (if any) NHibernate takes to protect against potential harmful input into SQL statements.

Organizations that have security concerns about using ORM tools may be more open to using them knowing that the ORM tool offers some protection.

Thanks
Top
 Profile  
 
sergey
 Post subject:
PostPosted: Wed Jul 05, 2006 9:50 am 
Contributor
Contributor

Joined: Wed May 11, 2005 4:59 pm
Posts: 1766
Location: Prague, Czech Republic
NHibernate allows using parameters in queries - this alone should prevent most, if not all, injection attacks. Using parameters instead of building HQL strings directly out of user-supplied values is in fact the recommended approach.
Top
 Profile  
 
gcook1@shaw.ca
 Post subject:
PostPosted: Wed Jul 05, 2006 11:04 am 
Regular
Regular

Joined: Tue Feb 07, 2006 4:27 pm
Posts: 69
Thanks. That is what I was hoping for. Is there an article I can review that talks about this and demonstrates it?
Top
 Profile  
 
sergey
 Post subject:
PostPosted: Wed Jul 05, 2006 2:50 pm 
Contributor
Contributor

Joined: Wed May 11, 2005 4:59 pm
Posts: 1766
Location: Prague, Czech Republic
I don't know of any articles, it's a relatively simple feature I'd say.
Top
 Profile  
 
benhyrman
 Post subject:
PostPosted: Wed Jul 05, 2006 9:10 pm 
Regular
Regular

Joined: Wed Jun 21, 2006 3:13 pm
Posts: 110
gcook1@shaw.ca wrote:
Thanks. That is what I was hoping for. Is there an article I can review that talks about this and demonstrates it?


Here's the gist of it:

Code:
string sql = "from Account where Username = :name";
IQuery query = DbSessionContext.Current.Session.CreateQuery(sql);
query.SetString("name", username);

return query.List<Account>();
Top
 Profile  
 
gcook1@shaw.ca
 Post subject:
PostPosted: Wed Jul 05, 2006 10:34 pm 
Regular
Regular

Joined: Tue Feb 07, 2006 4:27 pm
Posts: 69
So...you can use standard HQL to construct your query and pass the parms to it.

Thanks for the pointers.
Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  Page 1 of 1
  [ 6 posts ] 

Board index » Hibernate & Java Persistence » NHibernate Users

All times are UTC - 5 hours [ DST ]

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.