I am developing an application using hibernate. When I try to create a Login page, The problem of Sql Injection arises. I have the following code: How will i prevent Sql Injection in this scenario ?The create table syntax of loginInfo table is as follows: Answer You have other options too, see this nice article from mkyong.

How to prevent SQL Injection with JPA and Hibernate?

I am developing an application using hibernate. When I try to create a Login page, The problem of Sql Injection arises. I have the following code:

@Component
@Transactional(propagation = Propagation.SUPPORTS)
public class LoginInfoDAOImpl implements LoginInfoDAO{

@Autowired
private SessionFactory sessionFactory;      
@Override
public LoginInfo getLoginInfo(String userName,String password){
    List<LoginInfo> loginList = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName='"+userName+"' and password='"+password+"'").list();
    if(loginList!=null )
        return loginList.get(0);
    else return null;   
          }
      }

JavaScript
​x
 
@Component@Transactional(propagation = Propagation.SUPPORTS)public class LoginInfoDAOImpl implements LoginInfoDAO{​@Autowiredprivate SessionFactory sessionFactory;      @Overridepublic LoginInfo getLoginInfo(String userName,String password){    List<LoginInfo> loginList = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName='"+userName+"' and password='"+password+"'").list();    if(loginList!=null )        return loginList.get(0);    else return null;             }      }​

How will i prevent Sql Injection in this scenario ?The create table syntax of loginInfo table is as follows:

create table login_info
  (user_name varchar(16) not null primary key,
  pass_word varchar(16) not null);

JavaScript
 
create table login_info  (user_name varchar(16) not null primary key,  pass_word varchar(16) not null); ​

Answer

Query q = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName = :name");
q.setParameter("name", userName);
List<LoginInfo> loginList = q.list();

JavaScript
 
Query q = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName = :name");q.setParameter("name", userName);List<LoginInfo> loginList = q.list();​

You have other options too, see this nice article from mkyong.

Advertisement

Answer