To avoid sql injections, normally Positional parameters and named parameters can be used in HQL as it demos here and stackoverflow also has samples. I want to know which steps can be taken when Criteria
is used.Any help with sample codes or useful links please.
Edit
Also when we save a object then ? let's say,the object may have a String variable and some one can assign a vulnerable sql query to it.
myObject.setName(somevulnerablesql); session.save(myObject);
In that case, should we have to check user input seperately before assigning to the object? or any other steps to avoid such sql injections ?
Hibernate does not grant immunity to SQL Injection, one can misuse the api as they please. There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
Yes, it does. Criteria API as well as query parameters in HQL or JPQL both escape the parameters and would not execute malicious SQL. The vulnerability is only exposed if you simply concatenate the parameters into your query. Then any malicious SQL becomes part of your query.
In general, SQL/HQL Injection is considered to have a high impact severity. Some of the main risks are: Confidentiality breach: access to sensitive information. Authentication and authorization breach: possibility to use another user without knowledge of its password.
Criteria in Hibernate can be used for join queries by joining multiple tables, useful methods for Hibernate criteria join are createAlias(), setFetchMode() and setProjection() Criteria in Hibernate API can be used for fetching results with conditions, useful methods are add() where we can add Restrictions.
I'm quite sure that the Criteria-Object will create safe HSQL.
You have to be careful with the Expression object. You may create a SQL-injection there. But take a look at the generated SQL: Hibernate show real SQL
edit:
Unless there is a huge bug in Hibernate, you don't have to make sure, that your String
s are escaped before you save them. Hibernate works with prepared statements. So there is no string concatenation and no SQL-injection with the Hibernate-session.
You may have to escape the output however after reading it with Hibernate. For example: You have a Entity User
class User{
String name;
}
And you call the user "' or 1=1;DROP DATABASE user;--" That string will be stored within the database. If you query the User with a Criterion object, you will find him (withou dropping the databse). If you query the User with the Expression object, you may drop the database (if you concenate Strings).
If you output the user's name to HTML you have to escape the output. Otherwise an user with a name "/><script>evilJavascript()</script>
will be bad for your application.
edit 2: take a look here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Criteria don't allow you to write vulnerable SQL/HQL yourself thus there shouldn't be any problem with SQL injection (unless there's a bug in Hibernate itself).
Edit:
As @ckuetbach pointed out, Criteria actually allows you to write SQL using Expression.sql(String sql)
or Restrictions.sqlRestriction(String)
.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With