Find Security Bugs - Real SQL injection or false positive?

1k Views Asked by Flanfl At 11 April 2025 at 00:01

I am using FindBug along with the plugin Find Security Bugs to help me find security flaws in my code. I am not sure why some code is flagged as vulnerable to SQL injection.

Here are two examples:

final StringBuilder queryString = new StringBuilder("SELECT users.login FROM Users users, Table table WHERE users.idUser = table.users.idUser");
Query query = session.createQuery(queryString.toString()); // This line is flagged


StringBuilder queryString = new StringBuilder("SELECT data FROM Table ");
queryString.append("WHERE table.idEntreprise = :id");
Query query = session.createQuery(queryString.toString()).setInteger("id", id); // This line is flagged

Is it a false positive or I missed something? If I understand the matter correctly, using createQuery() and setX() should be enough?

Original Q&A

There are 1 best solutions below

kostja On 26 April 2013 at 09:40 BEST ANSWER

This is a false positive. Named query parameters are escaped by Hibernate, so no SQL injection can be performed.

Even the first query without named parameters is safe since it does not use external input for the users.idUser parameter.

Find Security Bugs - Real SQL injection or false positive?

There are 1 best solutions below

Related Questions in JAVA

Related Questions in HIBERNATE

Related Questions in SECURITY

Related Questions in SQL-INJECTION

Related Questions in FIND-SEC-BUGS

Trending Questions

Popular # Hahtags

Popular Questions