Skip site navigation (1) Skip section navigation (2)

Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

From: David Kerr <dmk(at)mr-paradox(dot)net>
To: Sebastian Hennebrueder <usenet(at)laliluna(dot)de>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)
Date: 2010-02-08 16:25:43
Message-ID: 20100208162543.GC73377@mr-paradox.net (view raw or flat)
Thread:
Lists: pgsql-general
On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote:
- John R Pierce schrieb:
- >David Kerr wrote:
- >>Howdy all,
- >>
- >>We're using Postgres 8.3 with all of our apps connecting to the database
- >>with Hibernate / JPA.
- >>
- >>Our security team is concerned about SQL Injection attacks, and would 
- >>like to implement some mod_security rules to protect against it.
- >>
- >>From what I've read Postgres vanilla is pretty robust when it comes to
- >>dealing with SQL Injection attacks,
- >>
- >
- >that would be a function of how you use Postgresql.   if you do the 
- >typical PHP hacker style of building statements with inline values then 
- >executing them, you're vunerable unless you totally sanitize all your 
- >inputs.     see http://xkcd.com/327/
- >
- >if you use parameterized calls (easy in perl, java, etc but not so easy 
- >in php), you're should be immune.  in the past there were some issues 
- >with specific evil mis-coded UTF8 sequences, but afaik, thats been 
- >cleared up for quite a while.
- >
- >
- >>and when you put an abstraction layer like Hibernate on top of it, 
- >>you're basically rock solid against them.
- >
- >I would assume so, but I'm not familiar with the implementation details 
- >of Hibernate.
- >
- >
- >
- It dependends how you use Hibernate. If you do String concatenation
- instead of parameterized queries, then you can encounter the same
- injection problems like SQL.

Ok so Hibernante could suffer from the same issues as any framework.

Thanks

Dave

In response to

pgsql-general by date

Next:From: eroblesDate: 2010-02-08 16:35:21
Subject: Re: which the best way to start postgres.
Previous:From: David KerrDate: 2010-02-08 16:24:21
Subject: Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group