Re: SQL Injections and Hibernate

[AdityaK <aditya1010 () gmail com>]

SQL injection can occur in Hibernate if  :

1)Your Native SQL queries contain directly user entered data.
2)Your Dynamic queries generated by Hibernate for hitting the DB are
not  bounded to DB parameters.
3)If you use the  methods  in the API that take a String query
parameter  are prone to attack like  Session.iterate(String,..) and
Session.delete(String,...) etc.(I am   not sure have they fixed it or
not ;))

Regards
AK


On 6/6/07, Linux Security <linux_sec () yahoo co uk> wrote:
> Hello All,
>
> How secure is a java web application that uses ONLY hibernate to access a database from sql injections?
>
> As
> far as I know and understand, the hibernate layer will determine the
> sql statements that are going to hit the database, and this makes it
> much more secure than the developer creating the sql using JDBC, and
> having to check the user input for sql injections, but is there a way
> for a mallicious user of the application to inject sql and (maybe)
> bypass the Hibernate layer?
>
> Thank you in advance
>
>
>
>       ___________________________________________________________
> Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for
> your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html