Hibernate Query Language Injection

Posted on by admin

  • Hibernate Tutorial
  • Hibernate Useful Resources

Now, obviously, it's possible to inject into the query. But that is HQL language. If it was SQL, and I knew the structure of the database, I could hang a 'union' operation, and could log in into any account. But I don't quite see what kind of malicious HQL I can hang on here, to really make something bad happen. Hibernate Query Language (HQL) is an object-oriented query language, similar to SQL, but instead of operating on tables and columns, HQL works with persistent objects and their properties. HQL queries are translated by Hibernate into conventional SQL queries, which in turns perform action on database.

  • Selected Reading

You can use native SQL to express database queries if you want to utilize database-specific features such as query hints or the CONNECT keyword in Oracle. Hibernate 3.x allows you to specify handwritten SQL, including stored procedures, for all create, update, delete, and load operations.

Hibernate and other ORM frameworks offer some protection from SQL injection by their internal use of prepared statements, but be cautious when directly using query language constructs in these systems (such as HQL in Hibernate).

Your application will create a native SQL query from the session with the createSQLQuery() method on the Session interface −

After you pass a string containing the SQL query to the createSQLQuery() method, you can associate the SQL result with either an existing Hibernate entity, a join, or a scalar result using addEntity(), addJoin(), and addScalar() methods respectively.

Scalar Queries

The most basic SQL query is to get a list of scalars (values) from one or more tables. Following is the syntax for using native SQL for scalar values −

Hibernate Query Cache

Query

Entity Queries

The above queries were all about returning scalar values, basically returning the 'raw' values from the result set. Following is the syntax to get entity objects as a whole from a native sql query via addEntity().

Named SQL Queries

Following is the syntax to get entity objects from a native sql query via addEntity() and using named SQL query.

Hibernate Query Language Injection

Native SQL Example

Consider the following POJO class −

Let us create the following EMPLOYEE table to store Employee objects −

Following will be mapping file −

Finally, we will create our application class with the main() method to run the application where we will use Native SQL queries −

Compilation and Execution

Hibernate

Here are the steps to compile and run the above mentioned application. Make sure, you have set PATH and CLASSPATH appropriately before proceeding for the compilation and execution.

  • Create hibernate.cfg.xml configuration file as explained in configuration chapter.

  • Create Employee.hbm.xml mapping file as shown above.

  • Create Employee.java source file as shown above and compile it.

  • Create ManageEmployee.java source file as shown above and compile it.

  • Execute ManageEmployee binary to run the program.

Native Query Hibernate

You would get the following result, and records would be created in the EMPLOYEE table.

Hibernate Query Language Injection

If you check your EMPLOYEE table, it should have the following records −