Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does Hibernate Criteria Api completely protect from SQL Injection

I am working with Hibernate to protect my website from SQL Injection.

I heard that Hibernate Criteria API is more powerful than HQL. Does Hibernate Criteria Api completely protect from SQL Injection?

like image 696
ѕтƒ Avatar asked Feb 25 '13 11:02

ѕтƒ


1 Answers

Yes, it does.

Criteria API as well as query parameters in HQL or JPQL both escape the parameters and would not execute malicious SQL.

The vulnerability is only exposed if you simply concatenate the parameters into your query. Then any malicious SQL becomes part of your query.

EDIT The OWASP features a SQL injection prevention cheatsheet. Using criteria queries is equivalent to defense option 1: using prepared statements.

like image 196
kostja Avatar answered Nov 09 '22 00:11

kostja