Prevention against SQL Injection in Hibernate

2019-01-27 15:47发布

站内问答 / 后端开发
890 1 4

I have used hibernate to interact with my database, now I wanted to make my database layer secure against SQL Injection, so I did some research and I found out that my queries should be parameterized , so does it mean if I just structure my HQL queries as:

List mothers = session.createQuery(
"select mother from Cat as cat join cat.mother as mother where cat.name = ?")
.setString(0, name)
.list();

Then it's parameterized and protected from SQL Injection, or is there something else which I need to do...

One other thing was mentioned - "Always escape your Data" How can that be achieved ??

1条回答
小情绪 Triste *
2楼-- · 2019-01-27 16:31

I don't know about setString() but if it is the same as setParameter() then yes, it is enough to do that to prevent sql injection.

Update

By escaping data, means that you have to make sure you are not storing dangerous values in the database.

A quick example is for instance if you pass in the argument

String name = "<script>alert('Hello');</script>";
//insert this name into Mother, and then when you load it from the database, it will be displayed    

List mothers = session.createQuery(
"select mother from Cat as cat join cat.mother as mother where cat.name = ?")
.setString(0, name)
.list();

to your query, then next time you load this from the database, and render it in your web browser, it will run the script.
You need to make sure your framework escapes all illegal characters, ie: changing < to &lt; before you insert it in the database.
If your framework does not do this, you have to do it manually. There are tons of libraries out there that correctly escapes code for you. Take a look at this question for instance and the answers there.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)