Comments on: Improve the speed and security of your SQL queries

By: Ennuyer.net » Blog Archive » Rails Reading - Sept 10, 2009

Ennuyer.net » Blog Archive » Rails Reading - Sept 10, 2009 — Thu, 10 Sep 2009 19:36:01 +0000

[...] Improve the speed and security of your SQL queries | Zen and the Art of Programming [...]

By: Mario Briggs

Mario Briggs — Thu, 10 Sep 2009 08:17:05 +0000

Ankur,
you are right and wrong at the sametime. Blind faith can lead to problems
e.g.
String street = getStreetFromUser();
Query query = session.createQuery(“from Address a where a.street=’” + street + “‘”);

see – http://www.owasp.org/index.php/Interpreter_Injection#ORM_Injection

By: Ankur Shah

Ankur Shah — Wed, 09 Sep 2009 15:58:54 +0000

I think so hibernate have inbuilt support for parameterized query. So hibernate is less prone to sql injection.

By: TimothyAWiseman

TimothyAWiseman — Wed, 09 Sep 2009 15:37:06 +0000

Excellent post. Paramaterizing queries can be enormous beneficial in terms of both speed and security.

The article “The Curse and Blessing of Dynamic SQL ” at http://www.sommarskog.se/dynamic_sql.html
makes this point with examples and details for T-SQL in Microsoft SQL Server.

By: Mike Woodhouse

Mike Woodhouse — Wed, 09 Sep 2009 08:13:14 +0000

In general, I absolutely agree with the above. Where the RDBMS not only stores the parsed query but the query plan, however, one should probably be aware that queries such as the “BETWEEN” one can have unexpected adverse effects.

Consider the case where all karma values lie between 1000 and 5000 and further that karma is indexed. A SELECT for karma between 1999 and 2001 will almost certainly use the index, being suitably selective. Looking for all karmas between 1100 and 4900 would probably be best done with a table scan, but would be unexpectedly slower in the case that the query plan was re-used from the first query.

It’s a relatively rare situation but I’m sensitive to it: the scars are still healing after several years ago!