Hibernate和SQL注入
[英]Hibernate and SQL injection
问题描述
I have seen some topics discussing protection against SQL-injection by means of named parameters, but how about hibernate statements like 
我已经看到一些主题通过命名参数讨论防止SQL注入的问题,但是hibernate语句如何
currentSession().update(object);
or 要么
currentSession().save(object) ? currentSession().save(object) ?
Are these safe? 这些安全吗? Or is it safer to always use named parameters like 或者总是使用命名参数更安全
currentSession().createQuery("update Object set field=:field where id=:id").setParameter("field", field).setParameter("id", id).executeUpdate() ? currentSession().createQuery("update Object set field=:field where id=:id").setParameter("field", field).setParameter("id", id).executeUpdate() ?
1 个解决方案
解决方案1
3 已采纳 2017-03-06 16:43:57
They are safe, Hibernate uses bound variables for entity CRUD statements. 它们是安全的,Hibernate使用实体CRUD语句的绑定变量。 The statements are cached for each entity to avoid creating them every time when they are needed and only bound variable values are provided when they are executed. 为每个实体缓存语句,以避免每次需要时创建它们,并且在执行时仅提供绑定的变量值。
You can enable SQL logging to inspect the generated SQL. 您可以启用SQL日志记录来检查生成的SQL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.