18

I know that to prevent all or most SQL injection attacks that you should use parametrized queries. I've been using Hibernate for a while instead of hand writing my SQL statements. Are there any known attacks or research that is directed toward exploiting this layer?

Anders
  • 64,406
  • 24
  • 178
  • 215
Casey
  • 895
  • 5
  • 18

3 Answers3

13

No, you are not automatically safe.
SQL Injection can still exist.

From the OWASP page:

A note about SQL injection

Since it is the hot topic, I will address it now but discuss in detail later.

  • Hibernate does not grant immunity to SQL Injection, one can misuse the api as they please.
  • There is nothing special about HQL (Hibernates subset of SQL) that makes it any more or less susceptible.
  • Functions such as createQuery(String query) and createSQLQuery(String query) create a Query object that will be executed when the call to commit() is made. If the query string is tainted you have sql injection. The details of these functions are covered later.
AviD
  • 72,138
  • 22
  • 136
  • 218
  • 1
    I guess the key here is the misuse of the custom createQuery functions. If I am creating a query on the fly using HQL and I am concatenating strings together that would still cause the same issue. What about strictly using the criteria api though? – Casey Dec 09 '10 at 20:21
  • @casey no, you can still muck things up – Woot4Moo Dec 09 '10 at 21:50
  • I might pursue this further as a lot of people I have encountered recently seem to think that using hibernate or other ORM frameworks handles this. – Casey Dec 10 '10 at 00:45
  • @Woot4Moo Interesting to hear that. Can you give a couple of examples of where it's possible to go wrong with an ORM without using it to concatenate strings? – Rory McCune Dec 10 '10 at 16:51
  • 1
    @Rory in the article that AviD supplied the author looks at the core api of hibernate to expose some of its weaknesses as well as common design flaws – Woot4Moo Dec 10 '10 at 17:36
  • It is possible in some cases to abuse HQL or other interpreters. This OWASP page provides a couple of examples. https://www.owasp.org/index.php/Interpreter_Injection#ORM_Injection – Casey Jul 08 '15 at 18:48
4

In addition to the other answers, one area where ORMs may not help, is where there is an Issue with the ORM code itself. For example there were a couple of issues with ActiveRecord in Rails some versions ago where the SQL injection was in the framework itself rather in user created code.

That said correctly using an ORM does make it much easier to avoid SQL injection, so it'd be a good strategy to persue, as opposed to hand crafting queries.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • That is true - even though it's not a silver bullet, and should not be treated as such, it **definitely** makes it much easier to avoid SQL Injection. – AviD Dec 11 '10 at 20:22
  • Very true - use of an ORM such as Hibernate encourages you to use safe APIs and approaches. If you want to have a look at the logical endpoint, Microsoft's LINQ implementation is almost impossible to write SQL injectable code in by accident. – Justin Clarke Dec 22 '10 at 23:29
0

In this blog post there is a sample code using nHibernate's CreateSQLQuery that will be vulnerable to SQL injection, as well as an appropriate way of writing the same query using Parameterized query in your ORM framework to avoid injection. At the end of the day, no matter how you create SQL queries, using string concating or ORM to deal with input as objects and attributes, if you create dynamic queries, injected SQL code can get executed at the database. But if you parameterize it, you are telling the database a "Select" or "Insert" query is coming with these two inputs for example, and even if the inputs contain some SQL code, the database does not execute them.

Goli E
  • 895
  • 1
  • 11
  • 20