From: | David Kerr <dmk(at)mr-paradox(dot)net> |
---|---|
To: | Sebastian Hennebrueder <usenet(at)laliluna(dot)de> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |
Date: | 2010-02-08 16:25:43 |
Message-ID: | 20100208162543.GC73377@mr-paradox.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote:
- John R Pierce schrieb:
- >David Kerr wrote:
- >>Howdy all,
- >>
- >>We're using Postgres 8.3 with all of our apps connecting to the database
- >>with Hibernate / JPA.
- >>
- >>Our security team is concerned about SQL Injection attacks, and would
- >>like to implement some mod_security rules to protect against it.
- >>
- >>From what I've read Postgres vanilla is pretty robust when it comes to
- >>dealing with SQL Injection attacks,
- >>
- >
- >that would be a function of how you use Postgresql. if you do the
- >typical PHP hacker style of building statements with inline values then
- >executing them, you're vunerable unless you totally sanitize all your
- >inputs. see http://xkcd.com/327/
- >
- >if you use parameterized calls (easy in perl, java, etc but not so easy
- >in php), you're should be immune. in the past there were some issues
- >with specific evil mis-coded UTF8 sequences, but afaik, thats been
- >cleared up for quite a while.
- >
- >
- >>and when you put an abstraction layer like Hibernate on top of it,
- >>you're basically rock solid against them.
- >
- >I would assume so, but I'm not familiar with the implementation details
- >of Hibernate.
- >
- >
- >
- It dependends how you use Hibernate. If you do String concatenation
- instead of parameterized queries, then you can encounter the same
- injection problems like SQL.
Ok so Hibernante could suffer from the same issues as any framework.
Thanks
Dave
From | Date | Subject | |
---|---|---|---|
Next Message | erobles | 2010-02-08 16:35:21 | Re: which the best way to start postgres. |
Previous Message | David Kerr | 2010-02-08 16:24:21 | Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story) |