Menu
I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.
The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case?
749
Hibernate does not grant immunity to SQL Injection, one can misuse the api as they please. There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
Note that using JPA or other ORMs without prepared statements with bound parameters won't protect you from an SQL injection.
Even though this vulnerability is known for over 20 years, injections still rank number 3 in the OWASP's Top 10 for web vulnerabilities. In 2021, 718 vulnerabilities with the type “SQL injections” have been accepted as a CVE. So the answer is: Yes, SQL injections are still a thing.
SQL Injection is one of the top 10 web application vulnerabilities. In simple words, SQL Injection means injecting/inserting SQL code in a query via user-inputted data. It can occur in any applications using relational databases like Oracle, MySQL, PostgreSQL and SQL Server.
It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so:
String sql = "SELECT u FROM User u WHERE id=" + id; If you aren't doing that and are using parameterized/named queries only, then you're safe.
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
