To avoid sql injections, normally Positional parameters and named parameters can be used in HQL as it demos here and stackoverflow also has samples. I want to know which steps can be taken when Criteria is used.Any help with sample codes or useful links please.
Edit
Also when we save a object then ? let’s say,the object may have a String variable and some one can assign a vulnerable sql query to it.
myObject.setName(somevulnerablesql); session.save(myObject);
In that case, should we have to check user input seperately before assigning to the object? or any other steps to avoid such sql injections ?
I’m quite sure that the Criteria-Object will create safe HSQL.
You have to be careful with the Expression object. You may create a SQL-injection there.
But take a look at the generated SQL: Hibernate show real SQL
edit:
Unless there is a huge bug in Hibernate, you don’t have to make sure, that your
Strings are escaped before you save them. Hibernate works with prepared statements. So there is no string concatenation and no SQL-injection with the Hibernate-session.You may have to escape the output however after reading it with Hibernate. For example:
You have a Entity User
And you call the user “‘ or 1=1;DROP DATABASE user;–” That string will be stored within the database.
If you query the User with a Criterion object, you will find him (withou dropping the databse). If you query the User with the Expression object, you may drop the database (if you concenate Strings).
If you output the user’s name to HTML you have to escape the output. Otherwise an user with a name
"/><script>evilJavascript()</script>will be bad for your application.edit 2:
take a look here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet