Hi guys, We have been using nhibernate for almost a year now. I wuld like to know that are there any vulnerabilities that could be injected(like SQL injection etc.) using web application. I just want to secure any nhibernate injection through web application if there are.
+1
A:
I think that one of the requirements of a proper OR/M manager, is to make sure that all queries that can be executed using the OR/M manager, are properly secured against SQL injection.
NHibernate generates parametrized queries for SQL Server, so that is secure.
Offcourse, I don't know how other providers (for other DBMS'es) generate ...
Frederik Gheysels
2009-06-08 14:41:52
I believe NH generates parameterized queries for all database providers via ADO.NET's facilities. Of course that's only one defense for many attack vectors so the fact that NH generates parameterized queries is no excuse to not check your inputs.
Stuart Childs
2009-06-08 16:14:29
A:
As Frederik said, the queries are parametrized so you have roughly the same risk of a sql injection attack as you do with a stored procedure in SQL Server. This means you are safe from direct SQL injection, but neither protect you from latent sql injection. For more info on latent SQL injection, check out the comments of Jeff Atwood's blog post here: http://www.codinghorror.com/blog/archives/000275.html
The biggest security concern with NHibernate is that you have to expose a SQL account to your application that can select/insert/update/and delete (if not doing soft deletes) on your database tables. With stored procedures you can expose an account that only has rights to execute stored procedures. This is not a problem for many places, but some places may have strict policies against direct table access.
Daniel Auger
2009-06-08 22:16:38