SQL injection prevention with hibernate

Question

I have a existing code where the application generates different sql depend of lot of conditions and execute them via hibernate sessions createSQLQuery(). In here the parameters

Answer 1

If you need to assemble custom SQL into a query, I've found writing my own criteria classes that includes the custom SQL works well.

You just need to implement the Criterion interface. https://docs.jboss.org/hibernate/orm/3.5/api/org/hibernate/criterion/Criterion.html

(See also the Hibernate implementation of 'not null': http://www.grepcode.com/file/repo1.maven.org/maven2/org.hibernate/hibernate/3.2.4.sp1/org/hibernate/criterion/NotNullExpression.java?av=f .)

Then you can simply build up each custom query using the normal hibernate criteria API.

https://docs.jboss.org/hibernate/orm/3.3/reference/en/html/querycriteria.html#querycriteria-creating

Sanitising SQL values properly is painful - try really hard to avoid it! ;-)

Answer 2

As far as I can tell, you want to create SQL queries on the fly because the combination of conditions (from the UI, I guess) can be very complicated. That's fine. All you need to control are the parameters that the user supplies. And for that, you can, and should, still use Hibernate's createSqlQuery(). That function understands either ? for positional parameters (numbered from beginning of query string), or :param_name syntax and then you supply named parameters. You don't need to move anything into an xml file.

Section 16.1.7 has examples.