CRV2 SQLInjHQL

From OWASP
Revision as of 16:42, 15 June 2014 by Larry Conklin (Talk | contribs)

Jump to: navigation, search

Hibernate Query Language (HQL)

Hibernate facilitates the storage and retrieval of Java domain objects via Object/Relational Mapping (ORM).

It is a very common misconception that ORM solutions, like hibernate, are SQL Injection proof. Hibernate allows the use of "native SQL" and defines a proprietary query language, called HQL (Hibernate Query Language); the former is prone to SQL Injection and the later is prone to HQL (or ORM) injection.

Code Reviewer Action

Code reviewer needs to make sure any data used in an HQL query uses HQL parameterized queries so that it would be used as data and not as code.

Bad code examples

List results = session.createQuery("from Items as item where item.id = " + currentItem.getId()).list();