How namedparameter query blocks SQL injection

166 views Asked by At

I have seen the HQL SQL injection topic at How to prevent SQL Injection in hibernate?. But I could not understand how doesQuery.setParameter("<parameter name>",<parameter value>)

eliminate SQL injection, If a malicious user passestrue = true to following HQL,String hqlString = "from Item item where name= '"+nameValue+"'";

then he can pass it toquery.setString("name"+ nameValue) also! Does setString() and all of its sister methods have any filter to check SQL injection?

1

There are 1 answers

4
Safwan Hijazi On

The JDBC or Hibernate driver will escape this data appropriately before the query is executed; making sure that data is used just as data.

Before executing query, the driver will escape characters like the following:

  1. ; (Query delimiter.)
  2. ' (Character data string delimiter.)
  3. -- (Comment delimiter.)