In my java program I used Hybernate technology to access MySQL database table called items .That table has columns named “itemname itemprice itemid” & my java program has HQL statements to fetch data. Also it has a combo box which populates from the items table. Once we select an itemname from combo box it automatically fill two non editable jtext fields called itemid & itemprice, & another part of the program has codes to get string values from those jtextfields & write those values in another database table called orders using a POJO class.
I want to know that this kind of program can be attacked by sql injections ???, if we use Hibernate it is safe from sql injection attacks ???….
If my program has security threats briefly explain how can I avoid those…
I post some codes here.
This statement to fill combo box
String SQL_QUERY = "Select items.iname,items.iid,items.iprice from Item items";
This statement fills jtextfields. The “selecteditem” variable is the selected index of the combo box.
String SQL_QUERY ="Select items.iname,items.iid,items.iprice from Item items where items.iid = '"+selecteditem+"'";
This method writes data in orders table
//To send data to the orders table
private void fillordertable(){
String itemname = (String) jcbItemCode.getSelectedItem();
String itempric = jtfItemPrice.getText();
String tmp = jtfQuantity.getText();
int itemqty = Integer.parseInt(tmp);
String temp = jtfUnitPrice.getText();
double unitpric = Double.parseDouble(temp);
Session session = null;
//This variables for validating purposes
String tempcname = jtfName.getText();
String tempcemail = jtfEmail.getText();
if(tempcname.equals("") || tempcemail.equals("")){
jtaDisplay.setText("Check * fields");
}
else{
try{
SessionFactory sessionFactory = new org.hibernate.cfg.Configuration().configure().buildSessionFactory();
session =sessionFactory.openSession();
session.beginTransaction();
Order order = new Order();
order.setItcode(itemcode);
order.setItdiscription(itemdis);
order.setItqty(itemqty);
order.setItemprice(unitpric);
order.setTotprice(unitpric * itemqty);
order.setOstatus("Placed");
session.save(order);
session.getTransaction().commit();
}
catch(Exception exc){
jtaDisplay.setText(exc.getMessage());
}
finally{
session.flush();
session.close();
}
jtaDisplay.setText("Order & customer tables updated successfully !!!");
}
}
It is difficult to understand my whole code if I post it here. So I have posted some codes which I thought helpful to answer my question. If that is not enough please comment.
Thanks!
is susceptible to sql injection if
selectedItemis data entered by the user.Generating SQL or HQL queries by concatenating strings is in general bad form, and likely to lead to sql injection possibilities.
The safe way is to use named parameters in any SQL or HQL.
In your example, which appears to be SQL, after acquiring a Hibernate session, something like:
should be approximately the way you want to code and execute your query.
Similar things apply to HQL.
If you just concatenate strings, the evil values entered by a hacker as in the famous xkcd become part of your query and can do awful things.
If this is not a web form but a desktop application, you may well be in complete control of the values that can get into this variable, but it’s still advisable to try to do these things correctly.
Another effect of named parameters is that the parametrized sql can be cached and reused for different values of the parameter. So it’s a good idea even without the security concern.