14

Does Hibernate guard against SQL injection attack? If i am using hibernate then am i completely safe from SQL injection attack? I heard that Using Hibernate to execute a dynamic SQL statement built with user input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

harry
  • 731
  • 10
  • 23
  • I would say 100% if no native queries are used with concatenations. as far as I know. – Asad Rasheed Mar 07 '12 at 05:46
  • 3
    @AsadRasheed: No, even the **HQL** is vulnerable if you did not write it properly. – ManuPK Mar 07 '12 at 15:03
  • 1
    @ManuPK: you are right as Andrew said it always depends on the dev who is using the library. – Asad Rasheed Mar 08 '12 at 06:05
  • @andrewcooke At some point in everyone's career, they did not know what SQL injection was. The kind of person who "shouldn't be doing this work" is the kind that discourages others from learning. We're sorry that the rest of us can't magically start out as all stars like you, but that's why we ask questions to learn. – KyleM Jan 02 '13 at 19:12
  • @andrewcooke Btw, I'm an example of someone who understands SQL injection well enough: I understand how it happens, what it is, and how to guard against it by separating the query syntax itself from the parameters. Yet I still gained reassurance about my assumptions on HQL's safeness (when used with named params) from reading this thread. It's insulting that you would discourage someone's self-improvement, including OP's and my own, especially on a site that is designed for it. – KyleM Jan 02 '13 at 19:17

1 Answers1

15

Does Hibernate guard against SQL injection attack?

No, it doesn't guard the wrongly written ones, So you need to be careful when you write the queries. Always use the prepared statement style, for example consider the below HQL queries,

String query1 = "select * from MyBean where id = "+ id;
String query2 = "select * from MyBean where id = :id";

query1 ** is still vulnerable to **SQL Injection where as query2 is not.

So In short hibernate provides you many ways that you should use to guard yourself from the SQL Injection attacks.

Brian Matthews
  • 8,506
  • 7
  • 46
  • 68
ManuPK
  • 11,623
  • 10
  • 57
  • 76
  • 2
    This answer is correct, but was misread by one of my co-workers as "yes, hibernate helps", so let me elaborate. Hibernate (specifically HQL) has the EXACT same problem that SQL does. Both have parameters, and both allow string concatenation. You can screw it up in both, equally easily. Hibernate does lots of awesome stuff, but it doesn't save you from SQL Injection any more than plain SQL does. – Ryan Shillington Aug 15 '13 at 17:22
  • 1
    I think a link to Hibernate's "many ways" provided would be more beneficial than a link to a wiki on sql injection. – dev_feed Jul 21 '14 at 16:26
  • What is special about "String query2 = "select * from MyBean where id = :id"" that SQL injection can not happen? Here also we are replacing the string "id" with user input which can be malicious,right? – Kumar Manish May 14 '22 at 20:30