January 2013 - hibernate-issues - Jboss List Archives

[Hibernate-JIRA] (BVAL-359) Relax contract of ExecutableDescriptor#getParameterDescriptors()

by Gunnar Morling (JIRA)

13 years, 2 months

1
2
0 / 0

[Hibernate-JIRA] (HHH-7962) SQLQuery starting with brackets gives NPE

by Koen Verrecken (JIRA)

13 years, 2 months

1
1
0 / 0

[Hibernate-JIRA] (HHH-7961) Allow keywords in INSERT's attribute_list, or provide a way to escape them.

by Ondra Žižka (JIRA)

13 years, 2 months

1
0
0 / 0

[Hibernate-JIRA] Created: (HHH-3811) Bug: No ability to escape SQL keywords in HQL queries.

by John Roberts (JIRA)

Bug: No ability to escape SQL keywords in HQL queries. ------------------------------------------------------ Key: HHH-3811 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-3811 Project: Hibernate Core Issue Type: Bug Components: core Affects Versions: 3.3.0.CR1 Environment: 3.3.0.CR1, MS SQL Server 2005 Express Reporter: John Roberts Priority: Critical There appears to be no way to escape property names that are SQL keywords in HQL queries. For example, if you have a property named "key", which is a reasonable name for a property, and you are constructing an HQL query, e.g.: session.createQuery("select from Entities where key=?"); That will fail on MS SQL Server, because "key" is a reserved T-SQL keyword. However, there is no way to make it succeed, as either an absent-minded developer appears to have forgotten to add the ability to escape keywords to HQL (oops), or it's the secret of the millennium and was left out of the documentation on purpose (it has certainly boggled the minds of the folks on FreeNode #java, #hibernate, and the hibernate forum). Note that none of the following will succeed (this is what I have tried so far): session.createQuery("select from Entities where key=?"); session.createQuery("select from Entities where [key]=?"); // <-- mssql style still fails to be parsed session.createQuery("select from Entities where `key`=?"); session.createQuery("select from Entities where 'key'=?"); session.createQuery("select from Entities where \"key\"=?"); session.createQuery("select from Entities where ''key''=?"); session.createQuery("select from Entities where {key}=?"); session.createQuery("select from Entities where <key>=?"); session.createQuery("select from Entities where (key)=?"); session.createQuery("select from Entities where $key$=?"); session.createQuery("select from Entities where $key=?"); Note that using the underlying DBMS's escape method *does* work for column names in the entity mappings, but does not work in actual HQL. Since most DBMS's have their own dialects of SQL, the inability to escape keywords in HQL means that it is generally impossible to guarantee that any given HQL query will work unless you specifically design your application around the underlying DBMS (which is precisely one of the things you were hoping to avoid with Hibernate -- although on the other hand you're already tied to the DBMS with escaped keywords in the entity mapping anyways). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://opensource.atlassian.com/projects/hibernate/secure/Administrators.... - For more information on JIRA, see: http://www.atlassian.com/software/jira

13 years, 2 months

2
2
0 / 0

[Hibernate-JIRA] Created: (HHH-6672) Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue.

by Peter Schuler (JIRA)

Inserting UNION a HQL and JP-QL query string truncates the query. This makes exploiting HQL Injections easier. Security issue. ------------------------------------------------------------------------------------------------------------------------------ Key: HHH-6672 URL: http://opensource.atlassian.com/projects/hibernate/browse/HHH-6672 Project: Hibernate Core Issue Type: Bug Components: query-hql Affects Versions: 4.0.0.CR3, 3.6.7 Environment: Mysql Database Reporter: Peter Schuler Inserting the word 'union' anywhere in a HQL or JP-QL query truncates the query string. I consider this a security issue because it makes exploiting HQL of JP-QL injections easier. For example: from Persoon p where p.persoonId = '1' --> returns just 1 entry. But: from Persoon p union where p.persoonId = '1' --> ignores the part after union and returns the whole table. However: from Persoon p unionS where p.persoonId = '1' --> or any other word results in a QuerySyntaxException as is expected. This behaviour is documented in HHH-1050. It looks like this in a halfway implemented feature. This undocumented behaviour is a security risk because it makes exploiting JP-QL or HQL injections a lot easier. If you can inject into the query string you can easily truncate the remainder of the query. Even if the remainder will somehow restrict the the query result. This can be fixed changing the behaviour of the query parser by throwing a QuerySyntaxException. ps: I'll try to add a test case but I hope I've provided enough information. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira

13 years, 2 months

3
3
0 / 0

[Hibernate-JIRA] (HHH-7959) Hibernate/Infinispan 2nd Level Caches set to JBoss7 transaction-mode=NONE stop functioning after an explicit eviction

by Fredrik Lagerblad (JIRA)

13 years, 2 months

2
3
0 / 0

[Hibernate-JIRA] (HHH-7960) I propose creating a new tranformer that supports both the use of alias like sql column names.

by Javier Ledo Vázquez (JIRA)

13 years, 2 months

1
2
0 / 0

[Hibernate-JIRA] Created: (HHH-7293) Change index name to meet Oracle 30 chars limit

by Samuel Fung (JIRA)

Change index name to meet Oracle 30 chars limit ----------------------------------------------- Key: HHH-7293 URL: https://hibernate.onjira.com/browse/HHH-7293 Project: Hibernate ORM Issue Type: Patch Components: core Affects Versions: 4.1.1 Environment: Oracle 11g Reporter: Samuel Fung Priority: Minor Attachments: diff.txt I have an entity class that use table-per-class inheritance. One property in the base class is annotated with @org.hibernate.annotations.Index(name="..."). When Hibernate creates DB schema, the index name is prepended with the concrete class name. The final name exceeds Oracle limit of names <30 chars. I changed org.hibernate.mapping.DenormalizedTable, the index name is the hex string of hashcode of the original name. This comply the Oracle limit while (very likely) maintains uniqueness of the name. Sorry that the submitted patch is not exactly a svn diff (made by diff -u). -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira

13 years, 2 months

2
1
0 / 0

[Hibernate-JIRA] (HSEARCH-1260) LazyInitializationException while indexing

by Kai Moritz (JIRA)

13 years, 2 months

4
11
0 / 0

[Hibernate-JIRA] (BVAL-366) Fix type on ConfigurationState JavaDoc

by Emmanuel Bernard (JIRA)

13 years, 2 months

1
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

hibernate-issues January 2013