Replies: 2 comments 1 reply
-
Hi @wearpants, thanks for your question! Because VulcanSQL supports multiple connectors (e.g.: snowflake, big query ... ), so we delegate our connector to handle the SQL injection by their prepared statement through parameterized queries from the connectors' client: BigQuery: https://cloud.google.com/bigquery/docs/parameterized-queries SELECT word, word_count FROM `bigquery-public-data.samples.shakespeare`
WHERE corpus = @corpus AND word_count >= @min_word_count
ORDER BY word_count DESC SELECT word, word_count FROM `bigquery-public-data.samples.shakespeare`
WHERE corpus = :1 AND word_count >= :2
ORDER BY word_count DESC So, we replace the input parameters with parameterized values like $1, $2 ...etc, and record the input values in the Parameterizer when sending a query from an API request with query arguments Then organize the SQL statement with parameters query in the DataQueryBuilder and send it to the connector to delegate the connector client to handle SQL injection and execute the SQL query. You could see #40 to read it more. |
Beta Was this translation helpful? Give feedback.
-
@cyyeh Maybe we should add a SQL injection section in our documentation as well ? |
Beta Was this translation helpful? Give feedback.
-
Was wondering how you deal with SQL injection attacks, couldn't find the relevant parsing/escape code, could you point me to it?
Beta Was this translation helpful? Give feedback.
All reactions