Don't let the injection go down-stop the object query Injection

TEAM: I .S. T. O
AUTHOR: kj021320
Official BLOG: http://blog.csdn.net/ I _S_T_O
Reprinted by the author, without the consent of the author, shall not be used for any form of commercial activities

More and more popular ORM Technologies ~~~ The programmer gives all database operations to the persistent layer for processing,
For convenience, the framework also provides other object query languages, such as the EJBQL of hql ejb of HIBERNATE.
Is this a good thing? Well, it's really good ~ For rigorous programmers! But it is not necessary for those who have little knowledge about the technology!
Or even worse for those who are lazy.
Below I will use three commonly used persistence layer frameworks and add code snippets

Ibatis

<Select id = "unsafe" resultMap = "myResultMap">
Select * from table where name like % $ value $ %
</Select>

UnSafeBean B = (UnSafeBean) sqlMap. queryForObject ("value", request. getParameter ("name "));
Assume that the user inputs kj021320

It is translated into local SQL code
Select * from table where name like % kj021320 %
In ibatis, the variables between $ and $ are only replaced in general, and the variables are not escaped in SQL. Therefore, attacks often occur.

You need to correct your code.
<Select id = "safe" parameterClass = "java. lang. String" resultMap = "myResultMap">
Select * from table where name like # value #
</Select>
SafeBean B = (SafeBean) sqlMap. queryForObject ("value", "%" + request. getParameter ("name") + "% ");

Although it is a bit difficult to explain your parameter type in XML! In this way, the injection of object query can be easily prevented.

Hibernate

There are many people using this framework. Let's continue to look at the following code example.

LoginUser lu = (LoginUser) session. find ("from cn. isto. User as u where u. upass =" + LoginUser. getUpass () + "");
This is obvious ~ The submitted pass can change the HQL statement at will to bypass authentication.
Next let's process the repair

LoginUser lu = (LoginUser) session. find ("from cn. isto. User as u where u. upass =? ", LoginUser. getUpass (),

Type );

There are three methods to find the corresponding API under the Session class. You must use the parameter appending method.
The above is a simple description. In fact, there are many ways to establish HSQL in hibernate, such as createSQLQuery iterate, which are worth noting.

At the end of the day, the boss has gone to Enterprise Java Beans.

EJB

It's actually a bit too broad when it comes to EJB! Entity bean is not used in general, and SessionBean MessageDriverBean's security is not here.

Discussion ~~~ Entity bean injection generally does not exist in the configuration file
See the following
<Query>
<Query-method>
<Method-name> findByMember </method-name>
<Method-params>
<Method-param> java. lang. String </method-param>
</Method-params>
</Query-method>
<Ejb-ql>
<! [CDATA [select object (h) FROM Member AS h WHERE h. name =? 1]>
</Ejb-ql>
</Query>

All common parameters are? Form. This is a specification! Cannot be changed! But ~ What happens when you construct an EJBQL query by yourself? You may be too lazy to read the following code.

StringBuffer ql = new StringBuffer ("select object (h) FROM Member AS h ");
String order = request. getParameter ("order ");
If (! = Null)
Ql. append ("order by id"). append (order );
Query query = em. createQuery (ql );

After seeing the above Code, there is an injection of object query.
Let's fix it.
Private static final String [] ORDERS = {"asc", "desc "};
If (Arrays. asList (ORDERS). contains (order )){
Ql. append (order );
} Else {
Ql. append ("asc ");
}
Query query = em. createQuery (ql );

In a word! Don't make code have too much freedom, don't be lazy!
There are more persistent layer frameworks without analyzing security risks! For example, JDO pBeans and so on!