通过Hibernate-Criteria& SQL进行SQL注入Session.save（对象） [英] SQL Injection through Hibernate-Criteria & Session.save(object)

问题描述

为避免sql注入，通常可以在HQL中使用 Positional参数和命名参数，因为它可以演示这里和stackoverflow也有示例。我想知道在使用 Criteria 时可以采取哪些步骤。请提供任何有关示例代码或有用链接的帮助。

编辑

当我们保存一个对象时呢？比方说，该对象可能有一个字符串变量，有人可以为其分配易受攻击的SQL查询。

  myObject.setName（somevulnerablesql）; session.save（myObject的）; 
  

在这种情况下，我们是否应该在分配给对象之前单独检查用户输入？或任何其他步骤，以避免这种sql注入？

解决方案

我很确定Criteria-Object会创建安全的HSQL。

您必须小心表达式对象。你可以在那里创建一个SQL注入。
但看看生成的SQL： Hibernate显示真正的SQL

编辑：
除非在Hibernate中有一个巨大的错误，否则你不必确定你的字符串在您保存之前会被转义。 Hibernate与准备好的语句一起工作。所以没有字符串连接，也没有Hibernate会话的SQL注入。

在使用Hibernate读取它之后，您可能必须转义输出。例如：
你有一个实体用户

  class User {
 String name; 
} 
  

您调用用户'或1 = 1; DROP DATABASE user; - 该字符串将被存储在数据库中。
如果您使用Criterion对象查询用户，您会发现他（丢失数据库）。如果使用Expression对象查询用户，则可以删除数据库（如果使用的是字符串）。

如果将用户名输出为HTML，则必须转义输出。否则，名称为/>< script> evilJavascript（）< / script> 的用户将对您的应用程序不利。

edit 2：
请看这里： https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

To avoid sql injections, normally Positional parameters and named parameters can be used in HQL as it demos here and stackoverflow also has samples. I want to know which steps can be taken when Criteria is used.Any help with sample codes or useful links please.

Edit
Also when we save a object then ? let's say,the object may have a String variable and some one can assign a vulnerable sql query to it.

 myObject.setName(somevulnerablesql); session.save(myObject); 

In that case, should we have to check user input seperately before assigning to the object? or any other steps to avoid such sql injections ?

解决方案

I'm quite sure that the Criteria-Object will create safe HSQL.

You have to be careful with the Expression object. You may create a SQL-injection there. But take a look at the generated SQL: Hibernate show real SQL

edit: Unless there is a huge bug in Hibernate, you don't have to make sure, that your Strings are escaped before you save them. Hibernate works with prepared statements. So there is no string concatenation and no SQL-injection with the Hibernate-session.

You may have to escape the output however after reading it with Hibernate. For example: You have a Entity User

class User{
    String name;
}

And you call the user "' or 1=1;DROP DATABASE user;--" That string will be stored within the database. If you query the User with a Criterion object, you will find him (withou dropping the databse). If you query the User with the Expression object, you may drop the database (if you concenate Strings).

If you output the user's name to HTML you have to escape the output. Otherwise an user with a name "/><script>evilJavascript()</script> will be bad for your application.

edit 2: take a look here: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

这篇关于通过Hibernate-Criteria& SQL进行SQL注入Session.save（对象）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！