I have a multiple HQL statements which is vulnerable to the SQL injection example:
public List<Person> SearchList(String userName, String firstName, String lastName, String email) Exception {
List<Person> personList = new ArrayList<>();
String hql = " FROM **.***.***.entity.Person P WHERE ";
boolean buName = false;
boolean bfName = false;
if (StringUtils.isNotEmpty(userName)){
hql = hql + "lower(P.userName) like :userName ";
buName = true;
}
if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)){
if(buName){
hql = hql + " OR ";
}
hql = hql + "(lower(P.firstName) like :firstName AND lower(P.lastName) like :lastName) ";
bfName = true;
}
if (StringUtils.isNotEmpty(internetAddr)){
if(buName || bfName){
hql = hql + " OR ";
}
hql = hql + "lower(P.email) = :email";
}
try {
Query query = getCurrentSession().createQuery(hql);
if (StringUtils.isNotEmpty(userName)) {
query.setParameter("userName", '%'+userName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(firstName) && StringUtils.isNotEmpty(lastName)) {
query.setParameter("firstName", '%'+firstName.toLowerCase()+'%');
query.setParameter("lastName", '%'+lastName.toLowerCase()+'%');
} else if (StringUtils.isNotEmpty(email)) {
query.setParameter("email", email.toLowerCase());
}
personList = query.list();
} catch(Exception e){
throw new Exception(e.getMessage());
}
return personList;
}
Here I am avoiding concatenations in the query "'%" + userName + "%'" to avoid SQL injection vulnerability and now I am seeing exceptions related to
Named parameters not bound: lastname
This happens based the searches with firstname. How can I avoid this?
You should correct this:
to this:
as you should add named parameters to HQL and set them via
query.setParameterconsistently.NOTE
You can use concatenation (operation) in HQL like below:
It will allow you to avoid SQL injection too. But please note that this
likemost likely will lead to the full table scan.