2

I have seen the HQL SQL injection topic at How to prevent SQL Injection in hibernate?. But I could not understand how doesQuery.setParameter("<parameter name>",<parameter value>)

eliminate SQL injection, If a malicious user passestrue = true to following HQL,String hqlString = "from Item item where name= '"+nameValue+"'";

then he can pass it toquery.setString("name"+ nameValue) also! Does setString() and all of its sister methods have any filter to check SQL injection?

Community
  • 1
  • 1
Nealesh
  • 629
  • 6
  • 12
  • `Query` in hibernate exactly like a `PreparedStatement` in conventional jdbc . It actually `Builds` your query and excutes – Rookie007 Jun 09 '15 at 09:10

1 Answers1

1

The JDBC or Hibernate driver will escape this data appropriately before the query is executed; making sure that data is used just as data.

Before executing query, the driver will escape characters like the following:

  1. ; (Query delimiter.)
  2. ' (Character data string delimiter.)
  3. -- (Comment delimiter.)
Safwan Hijazi
  • 2,089
  • 2
  • 17
  • 29
  • 1
    I was hoping for an actual attack, e.g. the malicious user passes in `' OR '1'='1` for `nameValue`. – Tim Biegeleisen Jun 09 '15 at 09:22
  • 1
    In this case driver will escape ' character and the value will be like this OR 1=1, and here there is sql injection – Safwan Hijazi Jun 09 '15 at 09:24
  • OK, I think we should check what happen if logical operators, SQL operators like LIKE are placed. – Nealesh Jun 09 '15 at 14:10
  • in case of logical operators, you should pass another character to make sql injection, and driver will escape these characters, so logical operator will consider as data not operator. – Safwan Hijazi Jun 09 '15 at 18:00