Are ActiveRecord / nHibernate SQL generation "safe"?

Question

Are ActiveRecord / nHibernate SQL generation "safe"?

I am making this system Stacked and I am creating a search function. And in the process, it occurs to me that perhaps AR / nHibernate Expression.Like (and siblings) may not be 100% "safe" since you can create such things; "\ r \ ndrop database xxx; ---" and stuff like that ...?

I expect them to be safe, but I'm not sure ...

+1

sql sql-injection nhibernate castle-activerecord

Thomas Hansen 02 dec. '08 at 2:14

source to share

2 answers

If you find a security bug, you should definitely register it. Many people rely on such things.

0

Dustin 02 dec. '08 at 2:16

source to share

Sean carpenter · Accepted Answer · 2008-12-02T03:03:00+0000

NHibernate (and by extension ActiveRecord) generates parameterized form SQL statements sp_executesql 'select blah from table where column = @p1', '@p1 varchar(10)', @p1 = 'drop database xxx;---'

for queries. These types of SQL statements are safe for SQL injection because the contents of the parameters are not executed (unlike them if simple concatenation was used).

So, yes, both are "safe".

Are ActiveRecord / nHibernate SQL generation "safe"?

More articles: