Narendra Sharma
Reputation: 116
is it possible to do sql injection in grails
I have a searchbox and where I am submitting the text like java, etc and based on that I am finding the rhe data through GORM like given code:
def searchQueryInSession = params?.searchQuery
def searchSkill = MetaSkills.findAllByName(searchQueryInSession)
Is it possible to do sql injection here? If yes then, how can we prevent this behaviour in the described scenario?
Upvotes: 2
Views: 592
Answers (2)
Matt L
Reputation: 55
One caveat is that you need to be careful when doing HQL. It is possible to write an injection attack using HQL, such as
def vulnerable() {
def books = Book.find("from Book as b where b.title ='" + params.title + "'")
}
or
def vulnerable() {
def books = Book.find("from Book as b where b.title ='${params.title}'")
}
Examples taken from: Grails Documentation - Security
Upvotes: 0
mkuligowski
Reputation: 1594
The answer is: no
GORM will create the query with binding parameters similar to the following one:
select m.* from meta_skills m where name = ?
so, it can't alter your program and do any harm.
Upvotes: 1
Related Questions
- Grails/GORM/Hibernate app is not SQL escaping input data
- Hibernate and SQL injection
- How can I execute an specifc SQL in Grails/GORM/Hibernate
- How to execute query on grails using params from gsp?
- Dynamically generating SQL queries in Grails
- Grails: Raw SQL query in the current transaction
- hibernate query - grails
- Preventing SQL injections within Grails criteria queries
- How to execute HQL query in Java
- Non-Trivial Data-Query in Grails