Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

From: David Kerr <dmk(at)mr-paradox(dot)net>
To: Sebastian Hennebrueder <usenet(at)laliluna(dot)de>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
Date: 2010-02-08 16:25:43
Message-ID: 20100208162543.GC73377@mr-paradox.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote:
- John R Pierce schrieb:
- >David Kerr wrote:
- >>Howdy all,
- >>
- >>We're using Postgres 8.3 with all of our apps connecting to the database
- >>with Hibernate / JPA.
- >>
- >>Our security team is concerned about SQL Injection attacks, and would
- >>like to implement some mod_security rules to protect against it.
- >>
- >>From what I've read Postgres vanilla is pretty robust when it comes to
- >>dealing with SQL Injection attacks,
- >>
- >
- >that would be a function of how you use Postgresql. if you do the
- >typical PHP hacker style of building statements with inline values then
- >executing them, you're vunerable unless you totally sanitize all your
- >inputs. see http://xkcd.com/327/
- >
- >if you use parameterized calls (easy in perl, java, etc but not so easy
- >in php), you're should be immune. in the past there were some issues
- >with specific evil mis-coded UTF8 sequences, but afaik, thats been
- >cleared up for quite a while.
- >
- >
- >>and when you put an abstraction layer like Hibernate on top of it,
- >>you're basically rock solid against them.
- >
- >I would assume so, but I'm not familiar with the implementation details
- >of Hibernate.
- >
- >
- >
- It dependends how you use Hibernate. If you do String concatenation
- instead of parameterized queries, then you can encounter the same
- injection problems like SQL.

Ok so Hibernante could suffer from the same issues as any framework.

Thanks

Dave

In response to

Browse pgsql-general by date

  From Date Subject
Next Message erobles 2010-02-08 16:35:21 Re: which the best way to start postgres.
Previous Message David Kerr 2010-02-08 16:24:21 Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)