The following comment has been added to this issue:
Author: Paul Brown
Created: Mon, 14 Jul 2003 5:43 PM
Body:
Sorry -- executing arbitrary SQL on the part of the application isn't the least bit dangerous and is sometimes desirable.
The problem comes when someone attempts to persist a String, perhaps entered as a name on a web form but it has the form:
' DROP ALL FROM SYSOBJECTS; COMMIT
Or something else silly. If it is incumbent on the implementer to perform any necessary escaping, then that should be documented somewhere.
If this is used in such a way that the JDBC layer performs the escaping, then I humbly withdraw my comment.
---------------------------------------------------------------------
View the issue:
http://opensource.atlassian.com/projects/hibernate/secure/ViewIssue.jspa?key=HB-192
Here is an overview of the issue:
---------------------------------------------------------------------
Key: HB-192
Summary: net.sf.hibernate.type.StringType contains risky SQL generation
Type: Bug
Status: Unassigned
Priority: Major
Project: Hibernate2
Components:
core
Versions:
2.0.1
Assignee:
Reporter: Paul Brown
Created: Mon, 14 Jul 2003 10:55 AM
Updated: Mon, 14 Jul 2003 10:55 AM
Description:
The method:
public String objectToSQLString(Object value) throws Exception {
return '\'' + (String) value + '\'';
}
risks creating dangerous SQL in the hands of a well-informed, malicious user.
---------------------------------------------------------------------
JIRA INFORMATION:
This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
http://opensource.atlassian.com/projects/hibernate/secure/Administrators.jspa
If you want more information on JIRA, or have a bug to report see:
http://www.atlassian.com/software/jira
|
