• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

SQL Injection Attacks

 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have a search servlet that runs a query on my database. Right now the query looks something like this, where variable is a parameter I get from the ServletRequest.



AFAIK, you have to do prepared statements in Java to avoid SQL injection attacks. Does my using HQL absolve that, or do I need to change my query?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No, it doesn´t. Yes, you need to change it a parameterized query and make use of the parameter setters.
 
Bai Shen
Ranch Hand
Posts: 323
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How would I go about doing that using HQL vs SQL?
 
Bauke Scholtz
Ranch Hand
Posts: 2458
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bai Shen wrote:How would I go about doing that using HQL vs SQL?

Uh, just the same way? The Query API provides setters for it, like as PreparedStatement has.

Edit: reading the API documentation and the reference document may lighten things up:
http://www.hibernate.org/hib_docs/v3/api/org/hibernate/Query.html
http://www.hibernate.org/hib_docs/reference/en/html/objectstate-querying.html
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic