如果使用休眠，SQL注入有多少安全 [英] how much safe from SQL-Injection if using hibernate

问题描述

Hibernate 警惕 SQL注入攻击？如果我使用hibernate，那么我是否完全免于SQL注入攻击？我听说使用 Hibernate 执行用用户输入构建的动态SQL语句可以让攻击者修改语句的含义或执行任意 SQL命令。

解决方案

< Hibernate是否防范SQL注入攻击？

没有，它不能防止写错的 >，所以在编写查询时需要小心。总是使用准备好的语句风格，例如考虑下面的 HQL 查询，

  String query1 = select * from MyBean where id =+ id; 
 String query2 =select * from MyBean where id =：id; 
  

query1 **仍然容易受到** SQL Injection 的影响， strong> query2 不是。

简而言之，hibernate为您提供了很多方法来保护您不受 SQL注入攻击。

Does Hibernate guard against SQL injection attack? If i am using hibernate then am i completely safe from SQL injection attack? I heard that Using Hibernate to execute a dynamic SQL statement built with user input can allow an attacker to modify the statement's meaning or to execute arbitrary SQL commands.

解决方案

Does Hibernate guard against SQL injection attack?

No, it doesn't guard the wrongly written ones, So you need to be careful when you write the queries. Always use the prepared statement style, for example consider the below HQL queries,

String query1 = "select * from MyBean where id = "+ id;
String query2 = "select * from MyBean where id = :id";

query1 ** is still vulnerable to **SQL Injection where as query2 is not.

So In short hibernate provides you many ways that you should use to guard yourself from the SQL Injection attacks.

这篇关于如果使用休眠，SQL注入有多少安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！