SQL Injection through Hibernate-Criteria & Session.save(object)

Question

To avoid sql injections, normally Positional parameters and named parameters can be used in HQL as it demos here and stackoverflow also has samples. I want to know which steps can be taken when Criteria is used.Any help with sample codes or useful links please.

Edit
Also when we save a object then ? let's say,the object may have a String variable and some one can assign a vulnerable sql query to it.

 myObject.setName(somevulnerablesql); session.save(myObject);

In that case, should we have to check user input seperately before assigning to the object? or any other steps to avoid such sql injections ?

score 4 · Accepted Answer · edited May 23 '17 at 11:52

I'm quite sure that the Criteria-Object will create safe HSQL.

You have to be careful with the Expression object. You may create a SQL-injection there. But take a look at the generated SQL: Hibernate show real SQL

edit: Unless there is a huge bug in Hibernate, you don't have to make sure, that your Strings are escaped before you save them. Hibernate works with prepared statements. So there is no string concatenation and no SQL-injection with the Hibernate-session.

You may have to escape the output however after reading it with Hibernate. For example: You have a Entity User

class User{
    String name;
}

And you call the user "' or 1=1;DROP DATABASE user;--" That string will be stored within the database. If you query the User with a Criterion object, you will find him (withou dropping the databse). If you query the User with the Expression object, you may drop the database (if you concenate Strings).

If you output the user's name to HTML you have to escape the output. Otherwise an user with a name "/><script>evilJavascript()</script> will be bad for your application.

edit 2: take a look here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Thomas · Answer 2 · 2012-04-12T13:11:26.540

3

Criteria don't allow you to write vulnerable SQL/HQL yourself thus there shouldn't be any problem with SQL injection (unless there's a bug in Hibernate itself).

Edit:

As @ckuetbach pointed out, Criteria actually allows you to write SQL using Expression.sql(String sql)or Restrictions.sqlRestriction(String).

edited Apr 12 '12 at 13:11

answered Apr 12 '12 at 11:50

Thomas

87,414
12
119
157

1

That not complete correct I think: http://docs.jboss.org/hibernate/orm/3.3/api/org/hibernate/criterion/Expression.html – Christian Kuetbach Apr 12 '12 at 11:52
@ ckuetbach.Thanks. Would you explain more please with some code snip? – Débora Apr 12 '12 at 11:55
@ckuetbach agreed, I wasn't aware of that. I'll update my answer. – Thomas Apr 12 '12 at 12:14

SQL Injection through Hibernate-Criteria & Session.save(object)

2 Answers2

Linked