java SQL 注入通常如何在 Spring/Hibernate 设置中停止
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4811963/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How is SQL injection typically stopped in a Spring/Hibernate setup
提问by John Baker
I hate the Ruby language because it's not statically typed but the more time I spend with Spring/Hibernate I appreciate more of Ruby on Rails' features. Specifically the fact that their Active Record model prevents SQL injection for you. How is this issue typically handled with a Spring/Hibernate stack? Does either one come with a scrubbing toolkit of some sort, to make sure your user input is safe?
我讨厌 Ruby 语言,因为它不是静态类型的,但是我花在 Spring/Hibernate 上的时间越多,我就越欣赏 Ruby on Rails 的特性。特别是他们的 Active Record 模型可以防止 SQL 注入。Spring/Hibernate 堆栈通常如何处理这个问题?任何一个都带有某种清理工具包,以确保您的用户输入是安全的?
This isn't much of an issue on an insert if you are just inserting DAO's, but it's a major issue when using Select statements.
如果您只是插入 DAO,这对插入来说不是什么大问题,但在使用 Select 语句时这是一个主要问题。
回答by gutch
SQL injection should not be a risk when you're using Hibernate - as long as you're using it properly.
当您使用 Hibernate 时,SQL 注入不应该是一个风险 - 只要您正确使用它。
Hibernate queries are either written in HQL (Hibernate's SQL-like query language) or implemented using object-oriented Criteria API.
Hibernate 查询要么用 HQL(Hibernate 的类 SQL 查询语言)编写,要么使用面向对象的 Criteria API 实现。
HQL is the most common and most recommended. Typically you would write an HQL query like this:
HQL 是最常见和最推荐的。通常,您会像这样编写 HQL 查询:
Subscription sub = (Subscription) sessionFactory.getCurrentSession()
.createQuery("from Subscription sub where sub.verification = :verification")
.setString("verification", verification)
.uniqueResult();
In this form you are protected from SQL injection, because Hibernate passes in the string as a parameter; it cannot be interpreted as part of the SQL.
在这种形式中,您可以避免 SQL 注入,因为 Hibernate 将字符串作为参数传入;它不能被解释为 SQL 的一部分。
However if you behave badly an write a query like this...
但是,如果您表现不佳,请编写这样的查询...
Subscription sub = (Subscription) sessionFactory.getCurrentSession()
.createQuery("from Subscription sub where sub.verification = '" + verification + "'")
.uniqueResult();
...then you're not protected from SQL injection. However you should never be writing queries like this! I don't think any framework would protect you if you append strings to your queries.
...那么你就没有受到 SQL 注入的保护。但是,您永远不应该像这样编写查询!如果您将字符串附加到查询中,我认为任何框架都不会保护您。
Finally, if you use the Hibernate Criteria API you are automatically protected from SQL injection; because Hibernate builds the underlying query when you're using the Criteria API it does so in a way that prevents SQL injection.
最后,如果您使用 Hibernate Criteria API,您将自动受到 SQL 注入保护;因为当您使用 Criteria API 时,Hibernate 会构建底层查询,所以它以一种防止 SQL 注入的方式构建。
回答by CurtainDog
I think you've answered your own question - if you're only using HQL as a last resort, then that probably cuts out 95% of potential attack points. And, because you're only using it in those tricky edge cases you're likely to be paying more attention to what you're actually doing.
我想你已经回答了你自己的问题——如果你只使用 HQL 作为最后的手段,那么这可能会减少 95% 的潜在攻击点。而且,因为您只在那些棘手的边缘情况下使用它,所以您可能会更加关注您实际在做什么。
