1

There is a possible sql injection scenario where I am executing 

query = currentHibernateSession.createSQLQuery(sqlQuery);

then i am using query.list() to execute the query.

Now even though DML queries like DELETE do not work, but DDL queries like drop table go through even though i can see an exception.

A temporary fix would be to parse the sql queries and avoid the DML and DDL queries but i was wondering if there is better way to prevent sql injection in this scenario.

Optimus
  • 697
  • 2
  • 8
  • 22
  • See accepted answer in this SO -http://stackoverflow.com/questions/1812891/java-escape-string-to-prevent-sql-injection – aksappy Jul 01 '16 at 11:41
  • @aksappy The solution is feasible only if we know what query we are executing, but in cases where we can have different select queries to execute based on the request i dont think this method will help – Optimus Jul 04 '16 at 06:22
  • I suggest you make a list of dynamic queries that can get executed with this method, how many of them pose a risk and then work towards a solution? Prepared Statements still is the best approach to go, AFAIK. – aksappy Jul 04 '16 at 06:31

0 Answers0