Re: PostgreSQL + Hibernate, Apache Mod Security, SQL Injection and you (a love story)

David Kerr wrote:
> Howdy all,
>
> We're using Postgres 8.3 with all of our apps connecting to the database
> with Hibernate / JPA.
>
> Our security team is concerned about SQL Injection attacks, and would
> like to implement some mod_security rules to protect against it.
>
> From what I've read Postgres vanilla is pretty robust when it comes to
> dealing with SQL Injection attacks,
>

that would be a function of how you use Postgresql.   if you do the
typical PHP hacker style of building statements with inline values then
executing them, you're vunerable unless you totally sanitize all your
inputs.     see http://xkcd.com/327/

if you use parameterized calls (easy in perl, java, etc but not so easy
in php), you're should be immune.  in the past there were some issues
with specific evil mis-coded UTF8 sequences, but afaik, thats been
cleared up for quite a while.


> and when you put an abstraction layer like Hibernate on top of it,
> you're basically rock solid against them.

I would assume so, but I'm not familiar with the implementation details
of Hibernate.


> Does anyone have experience here? One of our security people found a
> generic mod_security config file that had a couple of postgres entries
> in it. Is there a full Postgres config for mod_security that the
> community recommends?
>
> Can anyone give me a good pros or cons of using mod_security when you
> have Postgres + Hibernate?
>

isn't mod_security purely for Apache httpd applications?  if you're not
using apache httpd, it seems like there's no point in using mod_security.