I'm building a Java Web Application using Java EE 6 and JSF-2.0, using the persistence API for all database operations.
The back-end is MySQL, but I have used the EntityManager functions and Named Queries in EJB-QL for all operations. Are SQL injection attacks possible in this case?
It's only possible if you're inlining user-controlled variables in a SQL/JPQL string like so:
String sql = "SELECT u FROM User u WHERE id=" + id;
If you aren't doing that and are using parameterized/named queries only, then you're safe.
Yes, it is possible. It depends on the way you implement.
Have a look at Preventing injection in JPA query language.
If your JPA provider processes all input arguments to handle injection attacks then you should be covered. We do thin in EclipseLink.
As the previous poster mentioned piecing together your own JPQL or SQL (for native queries) could expose you.
I would recommend using named queries with parameters over concatenating strings to build JPQL/SQL.
Doug
In case you're asking from an offensive/practical perspective, if a JPQL statement is constructed from user input, consider the following user input:
blah') AND FUNCTION('user like chr(65)||chr(37) AND 42 - ', 1) > 40 AND ('42'='42
If the victim is using a JPA implementation >= 2.1, and the backend database is Oracle, something like the above may act as a boolean SQL injection to tell you if the database user starts with 'A'.
Related
Due to some odd reason, I cannot go with JPA vendor like Hibernate, etc and I must use MyBatis.
Is there any implementation where we can enrich similar facility of CRUD operation in Mybatis?
(Like GenericDAO save, persist, merge, etc)
I have managed to come up with single interface implementation of CRUD type of operations (like Generic DAO) but still each table has to write it's own query in XML file (as table name, column names are different).
Will that make sense to come up with generic implementation?
Where I can give any table object for any CRUD operation through only 4 XML queries. (insert, update, read, delete) passing arguments of table name, column names, column values..etc.
Does it look like re-inventing the wheel in MyBatis or does MyBatis has some similar support?
you can try Mybatis Plus.This is for these cases.
MyBatis is not an ORM, instead it maps the result from SQL statements to objects.
You need to write SQL.
You will have a hard time if you try and apply the JPA model to working in MyBatis. You need to learn how MyBatis works instead.
You may be interested in the MyBatis Generator. Here is a screenshot of the introduction paragraph.
And here is the URL.
The generator looks at the Physical tables in an RDBMS and generates the CRUD mapping.That is half the job done. The other half is to utilize these mappings in your actual code.
Let this assumption also be cleared. The generator generates only the CRUD. For more complex operations like aggregations or joins et al, you may need to write the mappers on your own.
I know that if I use linq to sql, everything will be parametrised and sql injection safe.
But how about IQueryable?
For example, I can cast some entity to Iqueryable:
var myquery = mytesttable.AsQueryable();
var qText = "name="+ "\""+DynamicSearchCondition+ "\"";
myquery = myquery.Where(qText);
Then when the query is run, from trace I can see that the DynamicSearchCondition passed in is not parametrised.
Initially I thought this is not sql injection proof, but I then tried some examples, and just can't break this one.
Does it mean it is sql injection free then (I think it is now)?
If that is true, will it mean all IQueryable are sql injection safe?
Absolutely it is vulnerable to injection attacks.
For your particular example:
var myquery = mytesttable.AsQueryable();
var qText = "name="+ "\""+DynamicSearchCondition+ "\"";
myquery = myquery.Where(qText);
would fail with this:
var DynamicSearchCondition= "\" or \"\"=\"";
No, IQueryable itself is not injection proof because it is just an interface for building a query Expression. It does not define how to take that Expression and turn it into something to be executed, such as SQL. What does perform this is the query Provider (many exists. Linq to Objects, Linq to Entities, Linq to Excel, to name a few).
That said, your example which seems to use DynamicLinq (based on the .Where(string) extension use) should have similar parameterization protections as regular Linq to Entities IQueryable's. DynamicLinq doesn't introduce any additional SQL injection concerns, because it's just a utility that works on top of IQueryable. Everything it does is just translated to an expression tree that again depends on the Provider to actually translate to SQL. That doesn't mean that the DynamicLinq syntax itself is safe from its own injection potential (see here for some examples, but these are not SQL injection).
Microsoft has this to say about LINQ to Entities and SQL injection:
Security Considerations (Entity Framework)
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
This means your DynamicLinq built IQueryable (if using LINQ to Entities as the provider) should still parameterize inputs. If your question is really "Is LINQ to Entities injection proof?", then the best answer I could give is "Probably. They have made all reasonable efforts to protect against it.".
We are using entity framework 6.0 for development of our new application. All of our entity queries are generated from a DAL layer. For our current applications that are deployed to production, we use a SQL monitoring tool to track the performance of SQL queries.
My concern is how will I track down the DAL class that is generating the SQL so, I can address performance issues with the entity query. All I have from the tool is the SQL query that was generated by entity framework.
How are others tracking down SQL query issues in production? I know I can use Glimpse but how can you track back to the entity framework query that generated the SQL if you just have the raw SQL? I tried using the predicate builder to add a dummy where clause to see if that would show up in the SQL but it is ignored. like
predicate = predicate.Or(u => "methodName" == "methodName");
Thanks for the help.
You could use New Relic to instrument the application and SQL. They have a feature called "Key Transactions" which can tell you the slow transactions (really set up just for web requests, but you can theoretically get it working for other types of apps) and allow you to see the slow SQL queries within those transactions.
In order to add your data access layer in to the methods being instrumented, you can edit the instrumentation xml files as per https://docs.newrelic.com/docs/dotnet/dotnet-agent-custom-metrics
Note that the Key Transactions feature is in the premium addition, which costs. You do get that free for a while, so it might be worth a look to see if it provides enough value to you.
(I have no affiliation with New Relic, by the way.)
If you have a test suite covering the code that generates the queries, you could use this to save the generated SQL queries out to file along with the DAL method that generated them. You could do this by using the following code (taken from this SO answer regarding viewing the SQL):
var result = from x in appEntities
where x.id = 32
select x;
var sql = ((System.Data.Objects.ObjectQuery)result).ToTraceString();
If you saved these queries and method names in some structured fashion (e.g. CSV), perhaps as a side effect of the test run, you might be able to do a reverse lookup by searching this file for the query you see from production. You might have to do some normalisation, e.g. strip out all non-significant whitespace and in both cases take out the parameter assignments.
How can I use the tools to generate DAOs?
In fact, instead of passing through the hbm files, I need to configure hibernate tools to generate the DAO and the annotations.
See Hibernate Tools - DAO generation and How generate DAO with Hibernate Tools in Eclipse?
First let me assume DAO as POJO/Entity beans. Basically you can accomplish your task either through forward or reverse engineering. In case of forward engineering, probably you can look into AndroMDA tool. In case If u wish to accomplish it through reverse engineering Click here ..
Hope this will be helpful.
Welcome. You got to write all your data access logic by your hand (if I’m not wrong). Hiberante let you interact with database in three ways.
Native SQL which is nothing but DDL/plain SQL query. This can be used very rarely in hibernate projects even though this is faster than below mentioned options. Reason is simple “One of the key advantage of hibernate or any other popular ORM framework over JDBC Is you can get rid of database specific queries from your application code!”
HQL stands for hibernate query language which is proprietary query language of hibernate. This looks similar to native SQL queries but the key difference is object/class name will be used instead of table name and public variable names will be used instead of column names. This is more Object oriented approach. Some interesting things will be happening in background and check if you are keen!
Criteria API is a more object oriented and elegant alternative to Hibernate Query Language (HQL). It’s always a good solution to an application which has many optional search criteria.
You can find lots of examples on internet. Please post your specific requirements for further clarification on your problem.
Cheers!
When using the Entity Framework, does ESQL perform better than Linq to Entities?
I'd prefer to use Linq to Entities (mainly because of the strong-type checking), but some of my other team members are citing performance as a reason to use ESQL. I would like to get a full idea of the pro's/con's of using either method.
The most obvious differences are:
Linq to Entities is strongly typed code including nice query comprehension syntax. The fact that the “from” comes before the “select” allows IntelliSense to help you.
Entity SQL uses traditional string based queries with a more familiar SQL like syntax where the SELECT statement comes before the FROM. Because eSQL is string based, dynamic queries may be composed in a traditional way at run time using string manipulation.
The less obvious key difference is:
Linq to Entities allows you to change the shape or "project" the results of your query into any shape you require with the “select new{... }” syntax. Anonymous types, new to C# 3.0, has allowed this.
Projection is not possible using Entity SQL as you must always return an ObjectQuery<T>. In some scenarios it is possible use ObjectQuery<object> however you must work around the fact that .Select always returns ObjectQuery<DbDataRecord>. See code below...
ObjectQuery<DbDataRecord> query = DynamicQuery(context,
"Products",
"it.ProductName = 'Chai'",
"it.ProductName, it.QuantityPerUnit");
public static ObjectQuery<DbDataRecord> DynamicQuery(MyContext context, string root, string selection, string projection)
{
ObjectQuery<object> rootQuery = context.CreateQuery<object>(root);
ObjectQuery<object> filteredQuery = rootQuery.Where(selection);
ObjectQuery<DbDataRecord> result = filteredQuery.Select(projection);
return result;
}
There are other more subtle differences described by one of the team members in detail here and here.
ESQL can also generate some particularly vicious sql. I had to track a problem with such a query that was using inherited classes and I found out that my pidly-little ESQL of 4 lines got translated in a 100000 characters monster SQL statetement.
Did the same thing with Linq and the compiled code was much more managable, let's say 20 lines of SQL.
Plus, what other people mentioned, Linq is strongly type, although very annoying to debug without the edit and continue feature.
AD
Entity-SQL (eSQL) allows you to do things such as dynamic queries more easily than LINQ to Entities. However, if you don't have a scenario that requires eSQL, I would be hesitant to rely on it over LINQ because it will be much harder to maintain (e.g. no more compile-time checking, etc).
I believe LINQ allows you to precompile your queries as well, which might give you better performance. Rico Mariani blogged about LINQ performance a while back and discusses compiled queries.
nice graph showing performance comparisons here:
Entity Framework Performance Explored
not much difference seen between ESQL and Entities
but overall differences significant in using Entities over direct Queries
Entity Framework uses two layers of object mapping (compared to a single layer in LINQ to SQL), and the additional mapping has performance costs. At least in EF version 1, application designers should choose Entity Framework only if the modeling and ORM mapping capabilities can justify that cost.
The more code you can cover with compile time checking for me is something that I'd place a higher premium on than performance. Having said that at this stage I'd probably lean towards ESQL not just because of the performance, but it's also (at present) a lot more flexible in what it can do. There's nothing worse than using a technology stack that doesn't have a feature you really really need.
The entity framework doesn't support things like custom properties, custom queries (for when you need to really tune performance) and does not function the same as linq-to-sql (i.e. there are features that simply don't work in the entity framework).
My personal impression of the Entity Framework is that there is a lot of potential, but it's probably a bit to "rigid" in it's implementation to use in a production environment in its current state.
For direct queries I'm using linq to entities, for dynamic queries I'm using ESQL. Maybe the answer isn't either/or, but and/also.