SQL Injection with Plain-Vanilla NHibernate

Question

Hello,

Plain-vanilla NHibernate setup, eg, no fluent NHibernate, no HQL, nothing except domain objects and NHibernate mapping files. I load objects via:

_lightSabers = session.CreateCriteria(typeof(LightSaber)).List<LightSaber>();

I apply raw user input directly to one property on the "LightSaber" class:

myLightSaber.NameTag = "Raw malicious text from user";

I then save the LightSaber:

session.SaveOrUpdate(myLightSaber);

Everything I've seen says that yes, under this situation you are immune to SQL injection, because of the way NHibernate parameterizes and escapes the queries under the hood. However, I'm also a relative NHibernate beginner so I wanted to double-check.

Thanks!

Answer 1

Yes, you're almost immune to SQL injection when using NHibernate. It uses parameterized queries for all generated SQL statements on all platforms that support these.

You can, however, circumvent this by using custom SQL for insertions/updates, or by executing SQL with a variation of execute_sql of some sort, or SQL Queries without parameters.

Answer 2

You're safe as long as you don't plug user input directly into HQL or SQL: nothing else (of the functionality hibernate provides) will allow users to inject malicious code.

Answer 3

Just to echo others, if you let NHibernate generate your SQL you're safe, at least in theory.

However, you still need to be careful with stored procedures, triggers, and functions in the database particularly with dynamic SQL. Even though the client uses parametrized queries everywhere, injection may still possible.