SQL Injection with NHibernate Plain-Vanilla

Question

SQL Injection with NHibernate Plain-Vanilla

NHibernate installations with simple vanilla, for example, without free NHibernate, without HQL, nothing but domain objects and NHibernate mapping files. I load objects through:

_lightSabers = session.CreateCriteria(typeof(LightSaber)).List<LightSaber>();

I apply the original user input directly to one property in the "LightSaber" class:

 myLightSaber.NameTag = "Raw malicious text from user";

Then I save LightSaber:

 session.SaveOrUpdate(myLightSaber);

All that I saw says yes, in this situation you are immune to SQL injection, due to the fact that NHibernate parameterizes and escapes queries under the hood. However, I am also a relative novice of NHibernate, so I wanted to double check.

Thanks!

+7

sql-injection nhibernate

user2189331 Mar 25 '10 at 14:20

source share

3 answers

You are safe until you connect user input directly to HQL or SQL: nothing else (from the provided hibernate functions) will allow users to enter malicious code.

+3

Tomislav nakic-alfirevic Mar 25 '10 at 14:26

source share

Just to repeat the others, if you let NHibernate generate your SQL, you're safe, at least in theory.

However, you still need to be careful with stored procedures, triggers, and functions in the database, in particular with dynamic SQL. Although the client uses parameterized queries everywhere, injection may still be possible.

+2

EvilRyry Mar 25 '10 at 14:55

source share

Anton Gogolev · Accepted Answer · 2010-03-25T14:23:55+0000

Yes, you are almost immune to SQL injection when using NHibernate. It uses parameterized queries for all generated SQL statements on all platforms that support them.

However, you can get around this with special SQL for insert / update, or by executing SQL with a variation of execute_sql some type or SQL queries without parameters.

SQL Injection with NHibernate Plain-Vanilla

More articles: