Hibernate Criteria Api是否可以完全防止SQL注入 [英] Does Hibernate Criteria Api completely protect from SQL Injection

问题描述

我正在与Hibernate合作保护我的网站免受SQL注入。

I am working with Hibernate to protect my website from SQL Injection.

我听说Hibernate Criteria API比HQL功能更强大。
Hibernate Criteria Api是否可以完全防止SQL注入？

I heard that Hibernate Criteria API is more powerful than HQL. Does Hibernate Criteria Api completely protect from SQL Injection?

推荐答案

是的。

标准API以及HQL或JPQL中的查询参数都转义了参数并且不会执行恶意SQL。

Criteria API as well as query parameters in HQL or JPQL both escape the parameters and would not execute malicious SQL.

仅当您简单地将参数连接到查询中时，此漏洞才会暴露。然后，所有恶意SQL都将成为您查询的一部分。

The vulnerability is only exposed if you simply concatenate the parameters into your query. Then any malicious SQL becomes part of your query.

编辑 OWASP具有 SQL注入预防速查表 。使用条件查询等同于防御选项1：使用准备好的语句。

EDIT The OWASP features a SQL injection prevention cheatsheet. Using criteria queries is equivalent to defense option 1: using prepared statements.

这篇关于Hibernate Criteria Api是否可以完全防止SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！