Does Hibernate Criteria Api completely protect from SQL Injection

java hibernate sql-injection criteria-api hibernate-criteria
ѕтƒ picture ѕтƒ · Feb 25, 2013 · Viewed 8.8k times · Source

I am working with Hibernate to protect my website from SQL Injection.

I heard that Hibernate Criteria API is more powerful than HQL. Does Hibernate Criteria Api completely protect from SQL Injection?

Answer

kostja picture kostja · Feb 25, 2013

Yes, it does.

Criteria API as well as query parameters in HQL or JPQL both escape the parameters and would not execute malicious SQL.

The vulnerability is only exposed if you simply concatenate the parameters into your query. Then any malicious SQL becomes part of your query.

EDIT The OWASP features a SQL injection prevention cheatsheet. Using criteria queries is equivalent to defense option 1: using prepared statements.

Related questions

How to prevent SQL Injection with JPA and Hibernate?

I am developing an application using hibernate. When I try to create a Login page, The problem of Sql Injection arises. I have the following code: @Component @Transactional(propagation = Propagation.SUPPORTS) public class LoginInfoDAOImpl implements LoginInfoDAO{ @Autowired private SessionFactory sessionFactory; @…

Read More
How is SQL injection typically stopped in a Spring/Hibernate setup

I hate the Ruby language because it's not statically typed but the more time I spend with Spring/Hibernate I appreciate more of Ruby on Rails' features. Specifically the fact that their Active Record model prevents SQL injection for you. …

Read More
What are the possible values of the Hibernate hbm2ddl.auto configuration and what do they do

I really want to know more about the update, export and the values that could be given to hibernate.hbm2ddl.auto I need to know when to use the update and when not? And what is the alternative? These …

Read More