[Owasp_Top_10_fuer_Entwickler] Query Parameterization Cheat Sheet / Java Hibernate

Jim Manico jim.manico at owasp.org
Mo Feb 10 15:06:23 UTC 2014


I added your Criteria API example here!

https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet#Parameterized_Query_Examples

ALOHA,
Jim

On 1/30/14, 5:29 PM, Torsten Gigler wrote:
> Hi Jim,
>
> here, both examples, as I put it on 
> https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A1-Injection
>
>
>
> HQL:
>
> String userSuppliedParameter = 
> request.getParameter("Product-Description"); // This should REALLY be 
> validated too
> // perform input validation to detect attacks
> *Query safeHQLQuery = session.createQuery("from Inventory where 
> productDescription=:productdescription");*
> *safeHQLQuery.setParameter("productdescription", userSuppliedParameter)*;
>
>
> Hibernate Criteria Query:
>
> String userSuppliedParameter = 
> request.getParameter("Product-Description"); // This should REALLY be 
> validated too
> // perform input validation to detect attacks
> *Inventory inv =
> *
>
>         *(Inventory)
>         session.createCriteria(Inventory.class).add(Restrictions.eq("productDescription",
>         userSuppliedParameter)).uniqueResult();*
>
>
> Thanks.
>
>
> Cheers,
>
> Torsten
>
>
> 2014-01-30 Torsten Gigler <torsten.gigler at owasp.org 
> <mailto:torsten.gigler at owasp.org>>
>
>     Hi Jim,
>
>     thanks a lot.
>     We changed the query to get the *"productDescription" *not just
>     the***"productID". *So we have a better example that justifies to
>     use 'createCriteria' and not simply use the 'session.load' (Thanks
>     for this hint, too).
>
>     So we get a brand new example for Hybernate ;-)
>
>     String userSuppliedParameter = request.getParameter("id"); // This
>     should REALLY be validated too
>     // perform input validation to detect attacks
>     *Inventory inv = (Inventory)*
>     *session.createCriteria(Inventory.class).add(Restrictions.eq("productDescription",*
>     *userSuppliedParameter)).uniqueResult();*
>
>     If you like it, feel free to use it in the Cheet Sheets as second
>     example for Hybernate, too.
>
>     Thanks
>
>     Torsten
>
>     PS: We do have good Beer in BAVARIA ;-))
>
>
>     2014-01-30 Jim Manico <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>>
>
>         > Additionally we should be automatically protected from SQL
>         injection, assuming that in this case Hibernate builds the
>         underlying query like parameterized Queries.
>
>         TOTALLY. As long as you are using the Criteria API, you are
>         completely safe from SQL injection. When you use
>         un-parameterized HQL, you are vulnerable to HQL injection.
>
>         Cool?
>
>         PS: THERE IS BEER IN HAWAII! REALLY!
>>
>>         Is this OK? What do you think about it?
>>
>>         Kind Regards
>>
>>         Torsten
>>
>>
>>
>>         2014-01-25 Jim Manico <jim.manico at owasp.org
>>         <mailto:jim.manico at owasp.org>>
>>
>>             It looks like you are loading one Inventory object for
>>             one productId. I would normally do something like this so
>>             I would not need any kind of parameterization....
>>
>>             String userSuppliedParameter = request.getParameter("id");
>>
>>             Long userSuppliedLong = new Long(userSuppliedParameter);
>>             //need to check for errors here
>>
>>             *Inventory inv = (Inventory) =
>>             session.load(Inventory.class, userSuppliedLong);*
>>
>>             *From:*Torsten Gigler [mailto:torsten.gigler at owasp.org
>>             <mailto:torsten.gigler at owasp.org>]
>>             *Sent:* Friday, January 24, 2014 2:56 AM
>>             *To:* owasp-cheat-sheets at lists.owasp.org
>>             <mailto:owasp-cheat-sheets at lists.owasp.org>; Jim Manico
>>             *Cc:* owasp_top_10_fuer_entwickler at lists.owasp.org
>>             <mailto:owasp_top_10_fuer_entwickler at lists.owasp.org>
>>             *Subject:* Query Parameterization Cheat Sheet / Java
>>             Hibernate
>>
>>             Hi Jim, hi Community,
>>
>>             we have a suggestion in our Project 'OWASP Top 10 fuer
>>             Entwickler' (Top 10 Developer Edition in German) for a
>>             different example for*'Java Hibernate'*:
>>
>>             String userSuppliedParameter =
>>             request.getParameter("id"); // This should REALLY be
>>             validated too
>>             // perform input validation to detect attacks
>>             *Inventory inv = (Inventory)
>>             session.createCriteria(Inventory.class).add(Restrictions.eq("productID",
>>             userSuppliedParameter)).uniqueResult();*
>>
>>             (see:
>>             https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler/A1_Injection)
>>
>>             Acually we provide both examples, preferring the new one.
>>
>>             Do you have any comments about the new example?
>>
>>             Thanks.Kind regards
>>
>>             Torsten
>>
>>
>
>
>

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.owasp.org/pipermail/owasp_top_10_fuer_entwickler/attachments/20140210/ecfaf8df/attachment.html>


More information about the Owasp_Top_10_fuer_Entwickler mailing list