Are SQL injection attacks possible in JPA?
https://stackoverflow.com/questions/3441193
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.
The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case?
Solution
It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so:
String sql = "SELECT u FROM User u WHERE id=" + id;
If you aren't doing that and are using parameterized/named queries only, then you're safe.
OTHER TIPS
Yes, it is possible. It depends on the way you implement.
Have a look at Preventing injection in JPA query language.
If your JPA provider processes all input arguments to handle injection attacks then you should be covered. We do thin in EclipseLink.
As the previous poster mentioned piecing together your own JPQL or SQL (for native queries) could expose you.
I would recommend using named queries with parameters over concatenating strings to build JPQL/SQL.
Doug
In case you're asking from an offensive/practical perspective, if a JPQL statement is constructed from user input, consider the following user input:
blah') AND FUNCTION('user like chr(65)||chr(37) AND 42 - ', 1) > 40 AND ('42'='42
If the victim is using a JPA implementation >= 2.1, and the backend database is Oracle, something like the above may act as a boolean SQL injection to tell you if the database user starts with 'A'.
