使用Hibernate防止SQL注入
[英]SQL injection prevention with hibernate
问题描述
I have a existing code where the application generates different sql depend of lot of conditions and execute them via hibernate sessions createSQLQuery(). 
我有一个现有的代码,其中应用程序根据很多条件生成不同的sql并通过休眠会话createSQLQuery()执行它们。 In here the parameters are concat to the sql string which reside in the java class as normal string replacement. 在这里,这些参数与作为普通字符串替换驻留在java类中的sql字符串相连接。 The problem here is now i need to prevent sql injections. 现在的问题是,我需要防止sql注入。 So for that i have to use getNamedQuery() and bind the parameters so hibernate will take care of special characters. 因此,为此,我必须使用getNamedQuery()并绑定参数,以便休眠将处理特殊字符。 But the problem is moving the string sql's to xml file is a overhead because conditionally generating sql's. 但是问题在于将字符串sql的字符串移动到xml文件是一项开销,因为有条件地生成sql的字符串。 So i decide to manually do the special character validation and append it to the string query and execute as it is now. 因此,我决定手动进行特殊字符验证,并将其附加到字符串查询中,然后按原样执行。 So then i check the source for PrepareStatement i found, it just throw a exception 因此,然后我检查发现的PrepareStatement的来源,它只是抛出异常
byte[] arrayOfByte1 = new byte[0];
try
{
arrayOfByte1 = CharsToBytes(this.OdbcApi.charSet, arrayOfChar);
}
catch (UnsupportedEncodingException localUnsupportedEncodingException) {
}
How can i do same kind of encoding in the java class as above for the parameters before concat them with the string query for eliminate sql injections? 我如何在参数与字符串查询进行连接以消除SQL注入之前,在上述参数的Java类中进行相同类型的编码? Or is there any way i can still keep the string sql as it is an append parameters and use hibernate to execute the query? 还是有什么办法我仍然可以保留字符串sql,因为它是一个附加参数并使用hibernate执行查询?
2 个解决方案
解决方案1
1 已采纳 2013-05-29 07:07:13
As far as I can tell, you want to create SQL queries on the fly because the combination of conditions (from the UI, I guess) can be very complicated. 据我所知,您想即时创建SQL查询,因为条件的组合(我想是来自UI)可能非常复杂。 That's fine. 没关系。 All you need to control are the parameters that the user supplies. 您需要控制的只是用户提供的参数。 And for that, you can, and should, still use Hibernate's createSqlQuery() . 为此,您可以而且应该仍然使用Hibernate的createSqlQuery() 。 That function understands either ? 该功能可以理解? for positional parameters (numbered from beginning of query string), or :param_name syntax and then you supply named parameters. 用于位置参数(从查询字符串的开头编号)或:param_name语法,然后提供命名参数。 You don't need to move anything into an xml file. 您无需将任何内容移动到xml文件中。
Section 16.1.7 has examples. 16.1.7节有示例。
解决方案2
0 2013-05-30 21:43:34
If you need to assemble custom SQL into a query, I've found writing my own criteria classes that includes the custom SQL works well. 如果您需要将定制SQL组合到查询中,我发现编写自己的包含定制SQL的条件类效果很好。
You just need to implement the Criterion interface. 您只需要实现Criterion接口。 https://docs.jboss.org/hibernate/orm/3.5/api/org/hibernate/criterion/Criterion.html https://docs.jboss.org/hibernate/orm/3.5/api/org/hibernate/criterion/Criterion.html
(See also the Hibernate implementation of 'not null': http://www.grepcode.com/file/repo1.maven.org/maven2/org.hibernate/hibernate/3.2.4.sp1/org/hibernate/criterion/NotNullExpression.java?av=f .) (另请参见“非空”的Hibernate实现: http : //www.grepcode.com/file/repo1.maven.org/maven2/org.hibernate/hibernate/3.2.4.sp1/org/hibernate/criterion/ NotNullExpression.java?av=f 。)
Then you can simply build up each custom query using the normal hibernate criteria API. 然后,您可以使用正常的休眠条件API轻松构建每个自定义查询。
https://docs.jboss.org/hibernate/orm/3.3/reference/en/html/querycriteria.html#querycriteria-creating https://docs.jboss.org/hibernate/orm/3.3/reference/en/html/querycriteria.html#querycriteria-creating
Sanitising SQL values properly is painful - try really hard to avoid it! 正确清理SQL值很痛苦-尽力避免它! ;-) ;-)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.