spring/hibernate 如何让我们保证免受 SQL 注入以及它是如何在内部处理的?
How spring/hibernate gives us guarantee to protect from SQL injection and how it's handled internally?
我知道 spring 和 hibernate 可以防止 SQL 注入。
- 但是我如何知道我的应用程序可以免受 SQL 注入攻击?
- 任何 ORM 工具如何处理 SQL-注入
提前致谢..
如果您正确使用 API,Hibernate 确实提供了来自 SQL 注入的安全性。
发件人:https://www.owasp.org/index.php/Hibernate#A_note_about_SQL_injection
A note about SQL injection
Since it is the hot topic, I will address it now but discuss in detail later.
- Hibernate does not grant immunity to SQL Injection, one can misuse the API as they please.
- There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
- Functions such as createQuery(String query) and createSQLQuery(String query) create a Query object that will be executed when the call to commit() is made. If the query string is tainted you have SQL injection. The details of these functions are covered later.
始终使用 PreparedStatement to prevent SQL injection, it is part of JDBC API and Hibernate itself uses this API see。
例如:
String query1 = "select * from MyBean where id = "+ id;//Not secure
String query2 = "select * from MyBean where id = :id";//Secure
有关此主题的有用文章:http://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-hibernate
我知道 spring 和 hibernate 可以防止 SQL 注入。
- 但是我如何知道我的应用程序可以免受 SQL 注入攻击?
- 任何 ORM 工具如何处理 SQL-注入
提前致谢..
如果您正确使用 API,Hibernate 确实提供了来自 SQL 注入的安全性。
发件人:https://www.owasp.org/index.php/Hibernate#A_note_about_SQL_injection
A note about SQL injection
Since it is the hot topic, I will address it now but discuss in detail later.
- Hibernate does not grant immunity to SQL Injection, one can misuse the API as they please.
- There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
- Functions such as createQuery(String query) and createSQLQuery(String query) create a Query object that will be executed when the call to commit() is made. If the query string is tainted you have SQL injection. The details of these functions are covered later.
始终使用 PreparedStatement to prevent SQL injection, it is part of JDBC API and Hibernate itself uses this API see。
例如:
String query1 = "select * from MyBean where id = "+ id;//Not secure
String query2 = "select * from MyBean where id = :id";//Secure
有关此主题的有用文章:http://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-hibernate