Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What are best practices to implement security when using NHibernate?

Traditionalist argue that stored procedures provide better security than if you use a Object Relational Mapping (ORM) framework such as NHibernate.

To counter that argument what are some approaches that can be used with NHibernate to ensure that proper security is in place (for example, preventing sql injection, etc.)?

(Please provide only one approach per answer)

like image 306
Ray Avatar asked Sep 22 '08 19:09

Ray


2 Answers

Protect your connection strings.

As of .NET 2.0 and NHibernate 1.2, it is easy to use encrypted connection strings (and other application settings) in your config files. Store your connection string in the <connectionStrings> block, then use the NHibernate connection.connection_string_name property instead of connection.connection_string. If you're running a web site and not a Windows app, you can use the aspnet_regiis command line tool to encrypt the <connectionStrings> block, while leaving the rest of your NHibernate settings in plaintext for easy editing.

Another strategy is to use Integrated Authentication for your database connection, if your database platform supports it. That way, you're (hopefully) not storing credentials in plaintext in your config file.

like image 189
scott.caligan Avatar answered Sep 29 '22 23:09

scott.caligan


Actually, NHibernate can be vulnerable to SQL injection if you use SQL or HQL to construct your queries. Make sure that you use parameterized queries if you need to do this, otherwise you're setting yourself up for a world of pain.

like image 42
Kevin Pang Avatar answered Sep 29 '22 21:09

Kevin Pang