1

I have seen some topics discussing protection against SQL-injection by means of named parameters, but how about hibernate statements like

currentSession().update(object);

or

currentSession().save(object)?

Are these safe? Or is it safer to always use named parameters like

currentSession().createQuery("update Object set field=:field where id=:id").setParameter("field", field).setParameter("id", id).executeUpdate()?

Dragan Bozanovic
  • 23,102
  • 5
  • 43
  • 110
sva605
  • 1,571
  • 3
  • 20
  • 34

1 Answers1

3

They are safe, Hibernate uses bound variables for entity CRUD statements. The statements are cached for each entity to avoid creating them every time when they are needed and only bound variable values are provided when they are executed.

You can enable SQL logging to inspect the generated SQL.

Community
  • 1
  • 1
Dragan Bozanovic
  • 23,102
  • 5
  • 43
  • 110