0

I am developing an application using hibernate. When I try to create a Login page, The problem of SQL Injection arises,I'm Using Veracode as scanning analyser.

I have the following code:

Session session = getSession();
HashMap<String, String> parameters =  new HashMap<String, String>();
String finalValue = _helper.constructSearchSQLQuery(searchCriteria, session, parameters);
SQLQuery sqlQuery = session.createSQLQuery(finalValue);
sqlQuery.addScalar("requestId", Hibernate.LONG);
Set<String> keys = parameters.keySet();

At place of SQLQuery sqlQuery=session showing sql injection .Please help me how to fix this.

seenukarthi
  • 8,241
  • 10
  • 47
  • 68
khanam
  • 335
  • 1
  • 4
  • 19
  • Consider using the Criteria API or HQL / Hibernate Query Language. – Laurentiu L. Aug 07 '15 at 09:41
  • You are giving an sql string into the method. Use parameters instead. – Florian Schaetz Aug 07 '15 at 09:42
  • Also you could try session.createSQLQuery().setParameter() which should be safe. – Laurentiu L. Aug 07 '15 at 09:43
  • Could you please change my source code if possible here so that i can understand easily. – khanam Aug 07 '15 at 09:45
  • @LaurentiuL, Showing some error. – khanam Aug 07 '15 at 10:08
  • @khanam When i say setParameter, i don't mean copy code as it is. I mean set your parameters via the setParameter method. – Laurentiu L. Aug 07 '15 at 10:09
  • @LaurentiuL. I'm new to Hibernate so im seeking help.Could you please guide me where to change. – khanam Aug 07 '15 at 10:19
  • possible duplicate of [How to prevent SQL Injection in hibernate?](http://stackoverflow.com/questions/14102334/how-to-prevent-sql-injection-in-hibernate) – Stefan Aug 07 '15 at 10:35
  • @LaurentiuL., i changed the code as follows,is it right way? Query sqlQuery = sessionFactory.getCurrentSession().createQuery( finalQuery); ((SQLQuery) sqlQuery).addScalar("requestId", Hibernate.LONG); – khanam Aug 07 '15 at 11:09
  • 1
    I don't know. Not without the big picture. Where this is used, where it's called from, and how constructSearchSQLQuery looks. Don't start posting it all for me. I mentioned my prefered approach. Good luck with your research – Laurentiu L. Aug 07 '15 at 11:16

0 Answers0