Hibernate Books

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: does Hibernate guard against SQL injection?
PostPosted: Thu Jun 15, 2006 1:13 pm 
Beginner
Beginner

Joined: Thu Apr 13, 2006 12:56 pm
Posts: 23
Does Hibernate guard against SQL injection attack? Let's say I have a POJO bean with String property 'name'. If value is obtained from a POST request, for example, the end user could supply a malicious SQL string. When updating table from mapped POJOs does hibernate inspect values in any way - for example to make sure surrounding single quotes are not escaped?

thanks
-nikita

Hibernate version:
3.1
Name and version of the database you are using:
mysql 5.0


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jun 15, 2006 3:31 pm 
Expert
Expert

Joined: Fri Aug 19, 2005 2:11 pm
Posts: 628
Location: Cincinnati
Yes. Hibernate uses prepared statements, so you are protected from sql injection attacks

_________________
Chris

If you were at work doing this voluntarily, imagine what you'd want to see to answer a question.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jun 15, 2006 3:49 pm 
Newbie

Joined: Wed May 31, 2006 11:51 am
Posts: 3
Hibernate uses PreparedStatement's which already gaurd against SQL injection. In a PreparedStatment, arguments are bound to the statement rather than having a plain text SQL statement being issued. You should not need to worry about SQL injection when using hibernate.

_______
Todd V


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jun 15, 2006 9:29 pm 
Newbie

Joined: Sun May 28, 2006 11:24 am
Posts: 13
IIRC there is a way to submit native SQL to your RDBMS...
In this case, would the vulnerability to injection manifest itself?


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jun 16, 2006 10:28 am 
Expert
Expert

Joined: Fri Aug 19, 2005 2:11 pm
Posts: 628
Location: Cincinnati
hanasaki wrote:
IIRC there is a way to submit native SQL to your RDBMS...
In this case, would the vulnerability to injection manifest itself?


if you concatenate the parameters into the sql query then yes, you're asking for trouble. But, the sql queries are still of type Query, and as such have the methods for setting parameters, which takes care of sql injection attacks.

_________________
Chris

If you were at work doing this voluntarily, imagine what you'd want to see to answer a question.


Top
 Profile  
 
 Post subject: Careful Now
PostPosted: Thu Jan 11, 2007 5:31 am 
Newbie

Joined: Thu Jan 11, 2007 5:29 am
Posts: 2
You can use Prepared Statemetns wrong like this:

Code:
String strUserName = request.getParameter("Txt_UserName");
PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");


So be sure to use Prepared Statements WITH ALL Bind Variables.

Code:
String selectStatement = "SELECT * FROM User WHERE userId = ? ";
PreparedStatement prepStmt = con.prepareStatement(selectStatement);
prepStmt.setString(1, userId);
ResultSet rs = prepStmt.executeQuery();


(more at http://www.owasp.org/index.php/Preventi ... on_in_Java)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.