stackoom
  简体   繁体   中英

Hibernate and SQL injection

 原文  2017-03-06 12:16:24       java/ hibernate/ sql-injection

Question

I have seen some topics discussing protection against SQL-injection by means of named parameters, but how about hibernate statements like 

currentSession().update(object);

or

currentSession().save(object) ?

Are these safe? Or is it safer to always use named parameters like

currentSession().createQuery("update Object set field=:field where id=:id").setParameter("field", field).setParameter("id", id).executeUpdate() ?

1 answers

solution1
 3 ACCPTED  2017-03-06 16:43:57

They are safe, Hibernate uses bound variables for entity CRUD statements. The statements are cached for each entity to avoid creating them every time when they are needed and only bound variable values are provided when they are executed.

You can enable SQL logging to inspect the generated SQL.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL injection prevention with hibernate How to prevent SQL Injection with JPA and Hibernate? How is SQL injection typically stopped in a Spring/Hibernate setup SQL injection drop/delete from Hibernate HQL to MySQL Does Hibernate Criteria Api completely protect from SQL Injection SQL Injection through Hibernate-Criteria & Session.save(object) Hibernate HQL injection example is there SQL injection? Major performance degradation with named parameters and preventing sql injection using hibernate with native sql Sonarqube warned sql injection on the input-driven column name in my hibernate sql
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM