Wednesday, July 16, 2014

Hibernate Tutorial - How not to write HQL queries? (SQL Injection in Hibernate)

Hello World!

Before we begin, let me explain SQL Injection in simple words ?

I write my name as “Vinay, you are free to go”.  Judge announces my case by saying: “Calling Vinay, you are free to go.”  The Bailiff lets me go.

What happened here? - The Bailiff interpreted a part of my name (ie - "you are free to go") as a command and executed it. 
Similarly the SQL interpreter cannot differentiate between user supplied input and commands. During an SQL Injection attack the SQL interpreter is tricked into executing the input data as commands.

A lot of developers feel that their applications are safe from SQL Injection if they are using ORM solutions like Hibernate. However, nothing can be further from the truth.
The best approach to avoid SQL Injection is to use Parameterized Queries in both SQL and Hibernate.

The following Query written in HQL is vulnerable to HQL Injection.
String HQLquery;
HQLquery= "from Users where userID='"+userID+"' and password='"+password+"'";
session.createQuery(HQLquery);
The proper way to write this query is following.
HQLquery=session.createQuery("from Users where userID=:u and password=:p");
HQLquery=query.setParameter("u",userID);
HQLquery=query.setParameter("p",password);
In the above query the semi colon ":" indicates that "u" and "p" are place holders.

When the createQuery() method is executed, it fixes the meaning of the SQL query and any parameter substitution in the query after this will be treated as data only. In a parameterized query nothing can change the intent of the query because the SQL Interpreter can clearly differentiate between the Commands and the Data.

In normal SQL, the following would be a vulnerable query.
String loginQuery;
SQLQuery=("Select * FROM users WHERE userID='"+userID+"' AND password='"+password+"'");
To prevent SQL Injection use Parameterized queries in Java
String SQLQuery = "SELECT * FROM users WHERE userID= ? AND password= ?"; 
PreparedStatement pstmt = conn.prepareStatement( SQLQuery );         
pstmt.setString(1,userID);
pstmt.setString(2,password);

Hope this helps :)

Thanks for reading!
Vinay

12 comments:

  1. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    python Training in Pune
    python Training in Chennai
    python Training in Bangalore

    ReplyDelete
  2. Awesome..You have clearly explained …Its very useful for me to know about new things..Keep on blogging..
    Best Devops Training in pune
    Devops Training in Bangalore
    Power bi training in Chennai

    ReplyDelete
  3. I was recommended this web site by means of my cousin. I am now not certain whether this post is written through him as nobody else recognise such precise about my difficulty. You're amazing! Thank you!
    Data Science Training in Chennai
    Data Science course in anna nagar
    Data Science course in chennai
    Data science course in Bangalore
    Data Science course in marathahalli
    Data science course in bangalore

    ReplyDelete
  4. ACTIVE & FRESH CC FULLZ WITH BALANCE
    Price $5 per each CC

    US FRESH, TESTED & VERIFIED SSN LEADS
    $1 PER EACH
    $5 FOR PREMIUM

    *Time wasters or cheap questioners please stay away
    *You can buy for your specific states too
    *Payment in advance

    CC DETAILS
    =>CARD TYPE
    =>FIRST NAME & LAST NAME
    =>CC NUMBER
    =>EXPIRY DATE
    =>CVV
    =>FULL ADDRESS (ZIP CODE, CITY/TOWN, STATE)
    =>PHONE NUMBER,DOB,SSN
    =>MOTHER'S MAIDEN NAME
    =>VERIFIED BY VISA
    =>CVV2

    SSN LEADS INFO
    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank NAME | DL Number | Home Owner | IP Address |MMN | Income

    Contact Us

    -->Whatsapp > +923172721122
    -->Email > leads.sellers1212@gmail.com
    -->Telegram > @leadsupplier
    -->ICQ > 752822040

    *Hope for the long term deal
    *If you buy leads in bulk, I'll definitely negotiate
    *You can ask me for sample of Lead for demo

    US DUMP TRACK 1 & 2 WITH PIN CODES ALSO AVAILABLE

    ReplyDelete
  5. You completed certain reliable points there. I did a search on the subject and found nearly
    Servicenow Training In Hyderabad

    ReplyDelete
  6. Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.
    servicenow training in hyderabad

    ReplyDelete
  7. They're produced by the very best degree developers who will be distinguished for your polo dress creation. You'll find Ron Lauren inside an exclusive array which includes particular classes for men, women.
    business analytics training in hyderabad

    ReplyDelete
  8. Spyhunter 5 Crack Free Download Keygen has the ability to become aware of the threats and take away surplus records. https://cyberspc.com/spyhunter-5-crack-download-key-mac/

    ReplyDelete