在 Spring/Hibernate 设置中通常如何停止 SQL 注入

发布于 2024-10-14 11:28:37 字数 242 浏览 5 评论 0原文

我讨厌 Ruby 语言,因为它不是静态类型的,但我花在 Spring/Hibernate 上的时间越多,我就越欣赏 Ruby on Rails 的功能。特别是他们的 Active Record 模型可以防止 SQL 注入。 Spring/Hibernate 堆栈通常如何处理这个问题?其中任何一个都带有某种清理工具包,以确保您的用户输入是安全的?

如果您只是插入 DAO,那么这对插入来说并不是什么大问题,但在使用 Select 语句时这是一个主要问题。

I hate the Ruby language because it's not statically typed but the more time I spend with Spring/Hibernate I appreciate more of Ruby on Rails' features. Specifically the fact that their Active Record model prevents SQL injection for you. How is this issue typically handled with a Spring/Hibernate stack? Does either one come with a scrubbing toolkit of some sort, to make sure your user input is safe?

This isn't much of an issue on an insert if you are just inserting DAO's, but it's a major issue when using Select statements.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

一身仙ぐ女味 2024-10-21 11:28:37

当您使用 Hibernate 时,SQL 注入不应该是一个风险——只要您正确使用它。

Hibernate 查询要么用 HQL(Hibernate 的类似 SQL 的查询语言)编写,要么使用面向对象的 Criteria API 实现。

HQL是最常见也是最推荐的。通常,您会编写如下 HQL 查询:

    Subscription sub = (Subscription) sessionFactory.getCurrentSession()
        .createQuery("from Subscription sub where sub.verification = :verification")
        .setString("verification", verification)
        .uniqueResult();

在这种形式中,您可以免受 SQL 注入的影响,因为 Hibernate 将字符串作为参数传递;它不能被解释为 SQL 的一部分。

但是,如果您表现不佳,编写这样的查询...

    Subscription sub = (Subscription) sessionFactory.getCurrentSession()
        .createQuery("from Subscription sub where sub.verification = '" + verification + "'")
        .uniqueResult();

...那么您就无法免受 SQL 注入的保护。但是,您永远不应该编写这样的查询!如果您将字符串附加到查询中,我认为任何框架都不会保护您。

最后,如果您使用 Hibernate Criteria API,您将自动受到 SQL 注入的保护;因为 Hibernate 在您使用 Criteria API 时构建底层查询,所以它以防止 SQL 注入的方式构建底层查询。

SQL injection should not be a risk when you're using Hibernate - as long as you're using it properly.

Hibernate queries are either written in HQL (Hibernate's SQL-like query language) or implemented using object-oriented Criteria API.

HQL is the most common and most recommended. Typically you would write an HQL query like this:

    Subscription sub = (Subscription) sessionFactory.getCurrentSession()
        .createQuery("from Subscription sub where sub.verification = :verification")
        .setString("verification", verification)
        .uniqueResult();

In this form you are protected from SQL injection, because Hibernate passes in the string as a parameter; it cannot be interpreted as part of the SQL.

However if you behave badly an write a query like this...

    Subscription sub = (Subscription) sessionFactory.getCurrentSession()
        .createQuery("from Subscription sub where sub.verification = '" + verification + "'")
        .uniqueResult();

...then you're not protected from SQL injection. However you should never be writing queries like this! I don't think any framework would protect you if you append strings to your queries.

Finally, if you use the Hibernate Criteria API you are automatically protected from SQL injection; because Hibernate builds the underlying query when you're using the Criteria API it does so in a way that prevents SQL injection.

眼眸印温柔 2024-10-21 11:28:37

我想你已经回答了你自己的问题 - 如果你只使用 HQL 作为最后的手段,那么这可能会消除 95% 的潜在攻击点。而且,因为您只在那些棘手的边缘情况下使用它,所以您可能会更加关注您实际在做什么。

I think you've answered your own question - if you're only using HQL as a last resort, then that probably cuts out 95% of potential attack points. And, because you're only using it in those tricky edge cases you're likely to be paying more attention to what you're actually doing.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文