Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

John R Pierce schrieb:
> David Kerr wrote:
>> Howdy all,
>>
>> We're using Postgres 8.3 with all of our apps connecting to the database
>> with Hibernate / JPA.
>>
>> Our security team is concerned about SQL Injection attacks, and would
>> like to implement some mod_security rules to protect against it.
>>
>> From what I've read Postgres vanilla is pretty robust when it comes to
>> dealing with SQL Injection attacks,
>>
>
> that would be a function of how you use Postgresql. if you do the
> typical PHP hacker style of building statements with inline values then
> executing them, you're vunerable unless you totally sanitize all your
> inputs. see http://xkcd.com/327/
>
> if you use parameterized calls (easy in perl, java, etc but not so easy
> in php), you're should be immune. in the past there were some issues
> with specific evil mis-coded UTF8 sequences, but afaik, thats been
> cleared up for quite a while.
>
>
>> and when you put an abstraction layer like Hibernate on top of it,
>> you're basically rock solid against them.
>
> I would assume so, but I'm not familiar with the implementation details
> of Hibernate.
>
>
>
It dependends how you use Hibernate. If you do String concatenation
instead of parameterized queries, then you can encounter the same
injection problems like SQL.

--
Best Regards / Viele Grüße

Sebastian Hennebrueder
-----
Software Developer and Trainer for Hibernate / Java Persistence
http://www.laliluna.de