如何防止Google Big Query上的查询注入 [英] How to prevent query injection on Google Big Query

问题描述

我正在为我们的网站编写一些Google Big-query 动态报告实用程序，这将允许用户选择要在查询中替换的参数。给出这个查询template：

pre $ SELECT name，
birthday $ b $ FROM [dataset.users]
WHERE registration_date ='{{registration_date}}'


我们将{{registration_date}}并将其替换到模板中，从而产生一个查询：

 选择名称，
生日
 FROM [dataset.users] 
 WHERE registration_date ='2013-11-11'
  

在这种情况下，我如何防止 sql-injection 类似攻击，因为我使用Google Big-query 客户端API，
，API不允许像传统的 RDBMS apis那样使用定位参数。




=https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defens e_Option_3：_Escaping_All_User_Supplied_Inputrel =nofollow noreferrer> https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_3:_Escaping_All_User_Supplied_Input

更新：参数化查询现在是一个选项

• https://cloud.google.com/bigquery/querying-data#running_parameterized_queries

I'm writing some Google Big-query dynamic reporting utilities to our website, that will allow users to select a parameter to be replaced in the query. Given this query "template":

SELECT  name ,
        birthday
FROM    [dataset.users]
WHERE   registration_date = '{{registration_date}}'

we take the {{registration_date}} value from the user and replace it in the template, resulting in a query:

SELECT  name ,
        birthday
FROM    [dataset.users]
WHERE   registration_date = '2013-11-11'

How I can prevent sql-injection like attacks in this scenario, given that I'm executing the queries using the Google Big-query client API, and the API don't allow one to use positioned parameters as on traditional RDBMS apis.

解决方案

Check "Defense Option 3: Escaping All User Supplied Input" in OWASP:

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet#Defense_Option_3:_Escaping_All_User_Supplied_Input

UPDATE: Parametrized queries are an option now

• https://cloud.google.com/bigquery/querying-data#running_parameterized_queries

这篇关于如何防止Google Big Query上的查询注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！