Menu
Just wanted to know if there is a big chance to inject SQL While using nhibernate?
558
SQLAlchemy's facilities to coerce Python values into direct SQL string values are not secure against untrusted input and do not validate the type of data being passed.
While setting the name parameter, most would generally use this. query. setParameter("name", "%" + name + "%"); Now, as mentioned above traditional parameter like "1=1" cannot be injected because of the TypedQuery and Hibernate will handle it by default.
If you're using the criteria generators then no. nHibernate is aware of the .Net types and is consequently able to handle all escaping for you when generating queries.
Unparameterized HQL is vulnerable however.
105
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
