sva605
Reputation: 1681
Hibernate and SQL injection
I have seen some topics discussing protection against SQL-injection by means of named parameters, but how about hibernate statements like
currentSession().update(object);
or
currentSession().save(object)?
Are these safe? Or is it safer to always use named parameters like
currentSession().createQuery("update Object set field=:field where id=:id").setParameter("field", field).setParameter("id", id).executeUpdate()?
Upvotes: 1
Views: 557
Answers (1)
Dragan Bozanovic
Reputation: 23552
They are safe, Hibernate uses bound variables for entity CRUD statements. The statements are cached for each entity to avoid creating them every time when they are needed and only bound variable values are provided when they are executed.
You can enable SQL logging to inspect the generated SQL.
Upvotes: 3
Related Questions
- How to prevent SQL Injection with JPA and Hibernate?
- Hibernate & Security Threats
- how much safe from SQL-Injection if using hibernate
- Prevent Sql Injection (Java)
- Is a server side hibernate query vulnerable to sql injection if it's string only is concatenated with ints?
- Statement.executeQuery() and SQL injection
- SQL Injection through Hibernate-Criteria & Session.save(object)
- SQL injection prevention with hibernate
- Prevention against SQL Injection in Hibernate
- Are Hibernate queries vulnerable to SQL injection