Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Does Hibernate Criteria Api completely protect from SQL Injection

Tags:

java

sql-injection

hibernate

hibernate-criteria

criteria-api

I am working with Hibernate to protect my website from SQL Injection.

I heard that Hibernate Criteria API is more powerful than HQL. Does Hibernate Criteria Api completely protect from SQL Injection?

like image 696
ѕтƒ Avatar asked Feb 25 '13 11:02

ѕтƒ

1 Answers

Yes, it does.

Criteria API as well as query parameters in HQL or JPQL both escape the parameters and would not execute malicious SQL.

The vulnerability is only exposed if you simply concatenate the parameters into your query. Then any malicious SQL becomes part of your query.

EDIT The OWASP features a SQL injection prevention cheatsheet. Using criteria queries is equivalent to defense option 1: using prepared statements.

like image 196
kostja Avatar answered Nov 09 '22 00:11

kostja
Sign in to Comment

Related questions

How to tell if the java.util.Date object contains the time portion?
How to print out Java jvm memory use for debugging purposes?
How to insert data from database with Web Service in java using JAX - RS
Programming a one-to-many relationship
Effectively Immutable Object
NoClassDefFoundError while running a program using AWS SDK for java
java.lang.Class cannot be cast to java.lang.reflect.ParameterizedType
How to make a callback after the view is completely rendered?
How can we have a dynamically typed language over JVM?
Single command to build all Eclipse maven projects in current workspace?
Skip root element while deserializing json
Hiding Fields in Java Inheritance
create heap dump from within application, without HotSpotDiagnosticMXBean
How to define a generic list deserializer through annotations with Jackson?
Preferred way to query a database multiple times?
Styled text in JavaFX?
Spring : how to replace constructor-arg by annotation? [duplicate]
Spring Data JPA(Hibernate): How do I retrieve a concrete entity using only a field in its abstract superclass?
Optional Request Header in Spring Rest Service
Why does non-lenient SimpleDateFormat parse dates with letters in?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!