在Azure函数中对CosmosDB进行SQLInjection [英] SQLInjection against CosmosDB in an Azure function

问题描述

我已经实现了由HttpRequest触发的Azure功能.名为name的参数作为HttpRequest的一部分传递.在 Integration 部分中，我使用以下查询从CosmosDB中检索数据(作为输入):

I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integration section, I have used the following query to retrieve data from CosmosDB (as an input):

SELECT * FROM c.my_collection pm 
WHERE
Contains(pm.first_name,{name}) 

如您所见，我正在发送不带sanitizing的名称".这里有什么SQLInjection问题吗?

As you see I am sending the 'name' without sanitizing it. Is there any SQLInjection concern here?

我搜索并发现parameterization可用，但这不是我可以做的任何事情.

I searched and noticed that parameterization is available but that is not something I can do anything about here.

推荐答案

发生绑定时(

When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection that will handle sanitization.

请查看本文 :

参数化SQL提供了强大的用户输入处理和转义功能，可防止通过"SQL注入"意外暴露数据

Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through "SQL injection"

这将涵盖通过name属性插入SQL的任何尝试.

This will cover any attempt to inject SQL through the name property.

这篇关于在Azure函数中对CosmosDB进行SQLInjection的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！