1

I know spring and hibernate are secured from SQL injection.

  1. But how I get to know my application is safe from SQL injection attack?
  2. How any ORM Tool handles SQL-injection

thanks in advance..

M. Deinum
  • 115,695
  • 22
  • 220
  • 224
dhaval joshi
  • 490
  • 1
  • 3
  • 15

1 Answers1

3

Hibernate does provide security from SQL injection if you use the API properly.

From: https://www.owasp.org/index.php/Hibernate#A_note_about_SQL_injection

A note about SQL injection

Since it is the hot topic, I will address it now but discuss in detail later.

  • Hibernate does not grant immunity to SQL Injection, one can misuse the API as they please.
  • There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
  • Functions such as createQuery(String query) and createSQLQuery(String query) create a Query object that will be executed when the call to commit() is made. If the query string is tainted you have SQL injection. The details of these functions are covered later.

Always use the PreparedStatement to prevent SQL injection, it is part of JDBC API and Hibernate itself uses this API see.

For example:

String query1 = "select * from MyBean where id = "+ id;//Not secure
String query2 = "select * from MyBean where id = :id";//Secure

A useful article on this topic: http://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-hibernate

Community
  • 1
  • 1
saurav
  • 972
  • 11
  • 24