CODEWITHSUNDEEP
playframeworksql-injection
bvitaliyg
bvitaliyg

Reputation: 3255

Is it possible to invoke SQL-injection in Play Framework?

I want to use Java Play Framework to write RESTful backend. I've worked only with PHP Language and Android development before.

So I want to know whether the possible typical PHP SQL-injection for Play Framework? If yes, how to defend against them?

Upvotes: 2

Views: 2473

Answers (2)

biesior
biesior

Reputation: 55798

Every piece of code can be done bad or wrong, if you'll be stubborn enough you will be able to allow the kids to attack you via params... even with Play.

On the other hand Play (especially ver. 2.x) puts massive effort to type safety, which means that yet at routing level you can prevent simplest attacks i.e you declare every time type of params in url which means that you don't need to check like in PHP if(intval($_GET['param'])>0) as you declared it in routing time as an Integer. Play just won't recognize the path with string in this place. sample:

GET  /find-user/:id   controllers.Users.find(id: Int)

Requires link like http://domain.tld/find-user/123 and simple inject approach http://domain.tld/find-user/123 AND 1==1 will give you... 404 page (actually route not found by default as you need to handle 404 yourself).

What's more when using ie Java with Ebean - typically even if you build your queries manually you can use parametrized placeholders which rises security a muuuch. Last time I made a survey within our project and although I'm not super-hacker... I wasn't able to inject SQL in anyway to even basic queries which were written with the Ebean API.

Finally if you were working with raw mysql_query("SELECT ... till now and learned how to prevent injections with Play most probably you can forget additional efforts, just keep eye opened and you'll be safe.

Upvotes: 5

Vidya
Vidya

Reputation: 30320

The issue isn't so much with Play but rather with the persistence framework you use within Play. When using Play with Java, you have JPA and EBean (though being demoted I believe) supported out of the box, and both have facilities for preventing SQL injection--including when using raw SQL (rather than say JPQL in JPA).

Here is a nice resource on preventing SQL injection with JPA.

When using Play with Scala, Slick and Anorm also have similar protections.

But of course, if you go out of your way to write code with vulnerabilities, you will have code with vulnerabilities.

Upvotes: 4

Related Questions