在Azure函数中对CosmosDB进行SQLInjection [英] SQLInjection against CosmosDB in an Azure function
问题描述
我已经实现了由HttpRequest触发的Azure功能.名为name
的参数作为HttpRequest的一部分传递.在 Integration
部分中,我使用以下查询从CosmosDB中检索数据(作为输入):
I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name
is passed as part of the HttpRequest. In Integration
section, I have used the following query to retrieve data from CosmosDB (as an input):
SELECT * FROM c.my_collection pm
WHERE
Contains(pm.first_name,{name})
如您所见,我正在发送不带sanitizing
的名称".这里有什么SQLInjection
问题吗?
As you see I am sending the 'name' without sanitizing
it. Is there any SQLInjection
concern here?
我搜索并发现parameterization
可用,但这不是我可以做的任何事情.
I searched and noticed that parameterization
is available but that is not something I can do anything about here.
推荐答案
When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection
that will handle sanitization.
请查看本文 :
参数化SQL提供了强大的用户输入处理和转义功能,可防止通过"SQL注入"意外暴露数据
Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through "SQL injection"
这将涵盖通过name
属性插入SQL的任何尝试.
This will cover any attempt to inject SQL through the name
property.
这篇关于在Azure函数中对CosmosDB进行SQLInjection的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!