Menu
is there a simple way to handle SQL injection in Hibernate HQL order by clause. Named params obviously doesn't work for it.
EDIT:
Feel free to post your way of handling this problem. I want to see other people's solutions and teach from them.
Thanks for any suggestions and solutions.
874
You could use the Hibernate criteria API instead of HQL.
The criteria API check that the order criterium refers a valid property.
if you try someting like that:
public void testInjection() {
String orderBy = "this_.type desc, type";
Criteria crit = this.getSession().createCriteria(DemoEntity.class);
crit.addOrder(Order.asc(orderBy));
crit.list();
}
You will get an QueryException: "could not resolve property this_ of de.test.DemoEntity"
thrown by AbstractPropertyMapping.
68
I ended up with solution which I wanted to avoid. I've implemented map where key is what's user see in URL and value is column(s) in DB which is after ORDER BY clause.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
