Question | SQL injection

[Nirlah]

Hi,

What is the preferred method to prevent SQL injections using this library?

Thanks 😀

[Ostico]

In the next version of OrientDB it should be present.

[cqcwillard]

I believe OrientDB only supports client side prepared statements at the moment, is this correct? The NodeJS library appears to be encoding the values on the client side as well.

We're using 2.1.

References:
https://github.com/codemix/oriento/blob/master/lib/transport/binary/protocol28/operations/command.js
https://github.com/orientechnologies/orientdb/blob/master/core/src/main/java/com/orientechnologies/orient/core/sql/OCommandExecutorSQLSelect.java

[Ostico]

Tes @cqcwillard , you're right.

There are no way to perform prepared statement and server side sanitization like PDO and MySQL does.

I'm planning to add a PDO like interface to this driver and implement client side the prepared statement object.

[TACIXAT]

I was really excited to try out OrientDB. This is pretty much a non-starter for me though. Security features are super important, they should be supported server side and not reimplemented in each client.