SQL Injection via Hibernate-Criteria & Session.save (object)

Question

SQL Injection via Hibernate-Criteria & Session.save (object)

In order to avoid sql injections, you can usually use positional parameters and named parameters in HQL, since here there are demos here , and stackoverflow also has samples. I want to know what steps can be taken when used Criteria. Any help with sample codes or useful links, please.

Edit
Also when do we save the object? let's say an object can have a String variable, and someone can assign a vulnerable SQL query for it.

 myObject.setName(somevulnerablesql); session.save(myObject);

In this case, we will need to separately check the user input before assigning to the object? or any other steps to avoid such sql injections?

+5

java sql hibernate

Decora Apr 12 '12 at 11:45

source share

2

SQL/HQL , SQL- ( Hibernate ).

Edit:

@ckuetbach, SQL Expression.sql(String sql) Restrictions.sqlRestriction(String).

+3

Thomas 12 . '12 11:50

Christian Kuetbach · Accepted Answer · 2012-04-12T11:52:21+0000

, Criteria-Object HSQL.

Expression. SQL-. SQL: Hibernate show real SQL

Hibernate , , String , . . , SQL- Hibernate.

, , Hibernate. :

class User{
    String name;
}

"' 1 = 1; DROP DATABASE user; -" . User Criterion, ( ). Expression, ( ).

HTML, . "/><script>evilJavascript()</script> .

2: : https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

SQL Injection via Hibernate-Criteria & Session.save (object)

More articles: