# ORM Security Patterns and Pitfalls One-sentence definition: Use ORMs safely to prevent SQLi, mass assignment, and logic bugs. ## Key Facts - Always parameterize queries; avoid concatenated HQL/JPQL/SQL. - Disable or restrict dynamic finders/criteria that build strings. - Mass assignment: use explicit allowlists (DTOs) and server-side checks. - Beware N+1 and lazy loading exposing unintended data. - Migrate raw queries through vetted stored procedures if needed. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Recognize mass assignment (BFLA/BOLA) vs SQLi risks. **Mnemonic:** “**Params and DTOs, not strings and magic**.” ## Mini Scenario Q: User updates `role` via model bind—name the flaw/fix? A: Mass assignment; bind only allowed fields and enforce authZ. ## Revision Checklist - Two ORM anti-patterns. - Mass assignment prevention. - Raw query safeguard. ## Related [[Secure Database Access and SQL Injection Prevention]] · [[Authorization Design (RBAC ABAC Policy Engines)]] · [[Input Validation and Output Encoding]] · [[API Security Fundamentals (REST GraphQL gRPC)]] · [[Domain 8 - Index]]