Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and

Question

0

Asked: May 14, 20262026-05-14T03:33:34+00:00 2026-05-14T03:33:34+00:00

Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and

0

Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and NHibernate mapping files. I load objects via:

_lightSabers = session.CreateCriteria(typeof(LightSaber)).List<LightSaber>();

I apply raw user input directly to one property on the “LightSaber” class:

myLightSaber.NameTag = "Raw malicious text from user";

I then save the LightSaber:

session.SaveOrUpdate(myLightSaber);

Everything I’ve seen says that yes, under this situation you are immune to SQL injection, because of the way NHibernate parameterizes and escapes the queries under the hood. However, I’m also a relative NHibernate beginner so I wanted to double-check.

Thanks!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-14T03:33:35+00:00

Editorial Team

2026-05-14T03:33:35+00:00Added an answer on May 14, 2026 at 3:33 am

Yes, you’re almost immune to SQL injection when using NHibernate. It uses parameterized queries for all generated SQL statements on all platforms that support these.

You can, however, circumvent this by using custom SQL for insertions/updates, or by executing SQL with a variation of execute_sql of some sort, or SQL Queries without parameters.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply