在 Spring/Hibernate 设置中通常如何停止 SQL 注入
我讨厌 Ruby 语言,因为它不是静态类型的,但我花在 Spring/Hibernate 上的时间越多,我就越欣赏 Ruby on Rails 的功能。特别是他们的 Active Record 模型可以防止 SQL 注入。 Spring/Hibernate 堆栈通常如何处理这个问题?其中任何一个都带有某种清理工具包,以确保您的用户输入是安全的?
如果您只是插入 DAO,那么这对插入来说并不是什么大问题,但在使用 Select 语句时这是一个主要问题。
I hate the Ruby language because it's not statically typed but the more time I spend with Spring/Hibernate I appreciate more of Ruby on Rails' features. Specifically the fact that their Active Record model prevents SQL injection for you. How is this issue typically handled with a Spring/Hibernate stack? Does either one come with a scrubbing toolkit of some sort, to make sure your user input is safe?
This isn't much of an issue on an insert if you are just inserting DAO's, but it's a major issue when using Select statements.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
当您使用 Hibernate 时,SQL 注入不应该是一个风险——只要您正确使用它。
Hibernate 查询要么用 HQL(Hibernate 的类似 SQL 的查询语言)编写,要么使用面向对象的 Criteria API 实现。
HQL是最常见也是最推荐的。通常,您会编写如下 HQL 查询:
在这种形式中,您可以免受 SQL 注入的影响,因为 Hibernate 将字符串作为参数传递;它不能被解释为 SQL 的一部分。
但是,如果您表现不佳,编写这样的查询...
...那么您就无法免受 SQL 注入的保护。但是,您永远不应该编写这样的查询!如果您将字符串附加到查询中,我认为任何框架都不会保护您。
最后,如果您使用 Hibernate Criteria API,您将自动受到 SQL 注入的保护;因为 Hibernate 在您使用 Criteria API 时构建底层查询,所以它以防止 SQL 注入的方式构建底层查询。
SQL injection should not be a risk when you're using Hibernate - as long as you're using it properly.
Hibernate queries are either written in HQL (Hibernate's SQL-like query language) or implemented using object-oriented Criteria API.
HQL is the most common and most recommended. Typically you would write an HQL query like this:
In this form you are protected from SQL injection, because Hibernate passes in the string as a parameter; it cannot be interpreted as part of the SQL.
However if you behave badly an write a query like this...
...then you're not protected from SQL injection. However you should never be writing queries like this! I don't think any framework would protect you if you append strings to your queries.
Finally, if you use the Hibernate Criteria API you are automatically protected from SQL injection; because Hibernate builds the underlying query when you're using the Criteria API it does so in a way that prevents SQL injection.
我想你已经回答了你自己的问题 - 如果你只使用 HQL 作为最后的手段,那么这可能会消除 95% 的潜在攻击点。而且,因为您只在那些棘手的边缘情况下使用它,所以您可能会更加关注您实际在做什么。
I think you've answered your own question - if you're only using HQL as a last resort, then that probably cuts out 95% of potential attack points. And, because you're only using it in those tricky edge cases you're likely to be paying more attention to what you're actually doing.