In our codebase we use Hibernate and use it's Restrictions.sql() method use the MS SQL Server's full text search. The sqlRestriction is build using CONTAINS(column_name, search_text) predicate where the search_text is the user entered text.

Restrictions.sqlRestriction("CONTAINS("   column_name   ", ?)", "\""   userInput   "*\"", StandardBasicTypes.STRING)

Is this CONTAINS() method vulnerable to SQL Injections?

CodePudding user response：

I am not much knowledgeable in SQL Injection , but as per I have read it will only affect if you are searching for apart of text in a column using 'like', here we are searching whole user text, so I think its fine but its better to conform by doing some injection attacks yourself as testing. Better search little more on the topic or wait for some good answers

CodePudding user response：

Yes, such injection is vulnerable. That is not to say that it's CONTAINS itself which causes the issue, it's the injection which is the problem.

Unfortunately, CONTAINS() does not accept a variable for the column name, so it needs to be injected. In order to make this injection safe, you must check it against a whitelist.

If it is verified against a whitelist then there is no vulnerability. Do not just accept user input directly into the query.