is there a simple way to handle SQL injection in Hibernate HQL order by

Question

0

Asked: May 20, 20262026-05-20T02:37:33+00:00 2026-05-20T02:37:33+00:00

is there a simple way to handle SQL injection in Hibernate HQL order by

0

is there a simple way to handle SQL injection in Hibernate HQL order by clause. Named params obviously doesn’t work for it.

EDIT:

Feel free to post your way of handling this problem. I want to see other people’s solutions and teach from them.

Thanks for any suggestions and solutions.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-20T02:37:34+00:00

You could use the Hibernate criteria API instead of HQL.

The criteria API check that the order criterium refers a valid property.

if you try someting like that:

public void testInjection() {
    String orderBy = "this_.type desc, type";

    Criteria crit = this.getSession().createCriteria(DemoEntity.class);
    crit.addOrder(Order.asc(orderBy));      
    crit.list();
}

You will get an QueryException: "could not resolve property this_ of de.test.DemoEntity"
thrown by AbstractPropertyMapping.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

is there a simple way to handle SQL injection in Hibernate HQL order by

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply