Preventing SQL Injection

[r0man]

Hello,

what's the proper way to prevent SQL injection in the Java client? I found this ticket for the Go client, but could not find anything related in the Java sources.

influxdata/influxdb#2926

Thanks, Roman.

[majst01]

Hi @r0man

This is indeed required. Any idea how we could implement such a prepared statement parse with as least effort as possible ?

[r0man]

@majst01 Thanks for the confirmation. No, don't have an idea yet. I'll let you know if I do :)

[joelmarty]

Perhaps the most obvious way would be to support prepared statements in the jdbc lib or hibernate framework does i.e. :

PreparedQuery pq = new PreparedQuery("SELECT * FROM measures WHERE time > :lowerBound and time < :upperBound and device = :device");
pq.setDate("lowerBound", myLowerDate);
pq.setDate("upperBound", myUpperDate);
pq.setString("device", myDevice);

this way you can sanitize the input for each argument.

[majst01]

sure, but i dont want to add hibernate for example as a direct dependency to influxdb-java.

Is there any small implementation out there which can be reused easily ?

[majst01]

From Influxdb documentation this must look like:

curl -G 'http://localhost:8086/query?db=mydb' --data-urlencode 'q=SELECT * FROM "mymeas" WHERE "myfield" > $field_value' --data-urlencode 'params={"field_value":30}'

so adding a params parameter to the Influxdb.query should do the trick.

[r0man]

Thanks!

[majst01]

But the current implementation does not allow this kind of query. We need to add this ability.

[majst01]

I quite simple impl of Select is here https://github.com/gocraft/dbr/blob/master/select.go but apperently in golang. Could be used as a starting point