Handling SQL injection in a HQL clause by by

Question

Handling SQL injection in a HQL clause by by

There is an easy way to handle SQL injection in a Hibernate HQL by by statement. Obviously, named parameters do not work.

EDIT:

Feel free to post your solution to this problem. I want to see other people's decisions and teach them.

Thanks for any suggestions and solutions.

+6

java sql-order-by hibernate hql code-injection

michal.kreuzman Jan 19 '11 at 2:51

source share

3 answers

I got a solution that I wanted to avoid. I implemented a map where the key is what the user sees in the URL, and the value is the column (s) in the database, which is after the ORDER BY clause.

+1

michal.kreuzman Feb 03 '11 at 13:44

source share

Hibernate uses PreparedStatement, which already works with SQL injection. In PreparedStatment, the arguments are bound to the statement, and do not have an SQL statement written out. You do not need to worry about SQL injection when using sleep mode.

Here is a thread that ensures that sleep mode is safe from SQL injection. Click here .

0

com.status.live Jan 20 '11 at 5:33

source share

Ralph · Accepted Answer · 2011-02-15T09:08:57+0000

You can use the Hibernate criteria API instead of HQL.

API Criteria verifies that the order criterion refers to a valid property.

if you try to do the following:

public void testInjection() { String orderBy = "this_.type desc, type"; Criteria crit = this.getSession().createCriteria(DemoEntity.class); crit.addOrder(Order.asc(orderBy)); crit.list(); }

You will get a QueryException: "could not resolve property this_ of de.test.DemoEntity" thrown by AbstractPropertyMapping.

Handling SQL injection in a HQL clause by by

More articles: