Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

On Fri, Feb 05, 2010 at 09:19:40PM +0100, Sebastian Hennebrueder wrote:
- John R Pierce schrieb:
- >David Kerr wrote:
- >>Howdy all,
- >>
- >>We're using Postgres 8.3 with all of our apps connecting to the database
- >>with Hibernate / JPA.
- >>
- >>Our security team is concerned about SQL Injection attacks, and would
- >>like to implement some mod_security rules to protect against it.
- >>
- >>From what I've read Postgres vanilla is pretty robust when it comes to
- >>dealing with SQL Injection attacks,
- >>
- >
- >that would be a function of how you use Postgresql. if you do the
- >typical PHP hacker style of building statements with inline values then
- >executing them, you're vunerable unless you totally sanitize all your
- >inputs. see http://xkcd.com/327/
- >
- >if you use parameterized calls (easy in perl, java, etc but not so easy
- >in php), you're should be immune. in the past there were some issues
- >with specific evil mis-coded UTF8 sequences, but afaik, thats been
- >cleared up for quite a while.
- >
- >
- >>and when you put an abstraction layer like Hibernate on top of it,
- >>you're basically rock solid against them.
- >
- >I would assume so, but I'm not familiar with the implementation details
- >of Hibernate.
- >
- >
- >
- It dependends how you use Hibernate. If you do String concatenation
- instead of parameterized queries, then you can encounter the same
- injection problems like SQL.

Ok so Hibernante could suffer from the same issues as any framework.

Thanks

Dave