Sunday, June 16, 2013

27 - Understanding Parameter Binding and SQL Injection

We'll understand how appending parameters to SQL queries causes SQL injection, and will learn how to use the Parameter Binding feature in Hibernate.

//String minUserId = "15 or 1=1"; //security risk 1=1 displays all the reuslts
String minUserId = "15";
String userName = "User 9";

//Query query = session.createQuery("from UserDetails where userid >"+minUserId);
/*
Query query = session.createQuery("from UserDetails where userid > ? and userName = ?");
query.setInteger(0, Integer.parseInt(minUserId));
query.setString(1, userName);
*/

//you do in alternate way as well instead of question marks we can use names
Query query = session.createQuery("from UserDetails where userid > :userId and userName = :userName");
query.setInteger("userId", Integer.parseInt(minUserId));
query.setString("userName", userName);

HibernateTest.java
package org.yash.hibernate;

import java.util.List;

import org.hibernate.Query;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.hibernate.cfg.Configuration;
import org.yash.dto.UserDetails;

public class HibernateTest {

      public static void main(String args[]) {
           
            SessionFactory sessionFactory = new Configuration().configure()
                        .buildSessionFactory();
            Session session = sessionFactory.openSession();
            session.beginTransaction();
            //String minUserId = "15 or 1=1"; //security risk 1=1 displays all the reuslts
            String minUserId = "15";
            String userName = "User 9";
           
            //Query query = session.createQuery("from UserDetails where userid >"+minUserId);
            /*
            Query query = session.createQuery("from UserDetails where userid > ? and userName = ?");
            query.setInteger(0, Integer.parseInt(minUserId));
            query.setString(1, userName);
            */
           
            //you do in alternate way as well instead of question marks we can use names
            Query query = session.createQuery("from UserDetails where userid > :userId and userName = :userName");
            query.setInteger("userId", Integer.parseInt(minUserId));
            query.setString("userName", userName);
           
           
            List<UserDetails> users = (List<UserDetails>)query.list();       
           
            session.getTransaction().commit();
            session.close();
           
            for(UserDetails u:users){
                  System.out.println(u.getUserName());
            }
           

      }
}

UserDetails.java
package org.yash.dto;

import java.util.ArrayList;
import java.util.Collection;

import javax.persistence.CascadeType;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.OneToMany;

@Entity
@org.hibernate.annotations.Entity(selectBeforeUpdate=true)
public class UserDetails {
      /* @Id says "userId" is primary key */
      @Id @GeneratedValue (strategy=GenerationType.AUTO)
      private int userId;    
      private String userName;
      @OneToMany(cascade=CascadeType.PERSIST)
      private Collection<Vehicle> vehicle = new ArrayList<Vehicle>();
           
      public int getUserId() {
            return userId;
      }
      public void setUserId(int userId) {
            this.userId = userId;
      }
      public String getUserName() {
            return userName;
      }
      public void setUserName(String userName) {
            this.userName = userName;
      }
      public void setVehicle(Collection<Vehicle> vehicle) {
            this.vehicle = vehicle;
      }
      public Collection<Vehicle> getVehicle() {
            return vehicle;
      }
}

hibernate.cfg.xml
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE hibernate-configuration PUBLIC
        "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
        "http://hibernate.sourceforge.net/hibernate-configuration-3.0.dtd">

<hibernate-configuration>

    <session-factory>

        <property name="connection.driver_class">
            org.postgresql.Driver
        </property>
        <property name="connection.url">
            jdbc:postgresql://localhost:5433/hibernatedb
        </property>
        <property name="connection.username">postgres</property>
        <property name="connection.password">admin</property>

        <!-- JDBC connection pool (use the built-in) -->
        <property name="connection.pool_size">1</property>

        <!-- SQL dialect -->
        <property name="dialect">
            org.hibernate.dialect.PostgreSQLDialect
        </property>

        <!-- Enable Hibernate's automatic session context management -->
        <property name="current_session_context_class">thread</property>
       
        <!-- Echo all executed SQL to stdout -->
        <property name="show_sql">true</property>
       
        <!-- Drop and re-create the database schema on startup -->
            <property name="hbm2ddl.auto">update</property> 
<!-- create / update -->
   
          <!-- Names the annotated entity class -->
            <mapping class="org.yash.dto.UserDetails"/>    
           
    </session-factory>


</hibernate-configuration>
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)