如何解决雅典娜的SQL注入? [英] How to solve SQL injection for Athena?

问题描述

我正在编写一个从Athena访问数据的Spring Java程序，但是我发现Athena JDBC驱动程序不支持PreparedStatement，有人知道如何避免在Athena上进行SQL注入吗?

I am working on writing a Spring Java program accessing data from Athena, but I found that Athena JDBC driver does not support PreparedStatement, does anyone have idea about how to avoid SQL injection on Athena?

推荐答案

在准备查询之前，您必须将SQL查询格式化为字符串，并通过字符串串联来包含变量.

You'll have to format your SQL query as a string before you prepare the query, and include variables by string concatenation.

换句话说，欢迎来到大约2005年的PHP编程！:-(

In other words, welcome to PHP programming circa 2005! :-(

这使您和您的应用程序代码有责任确保变量安全，并且不会引起SQL注入漏洞.

This puts the responsibility on you and your application code to ensure the variables are safe, and don't cause SQL injection vulnerabilities.

例如，您可以将变量插入数字数据类型，然后再将其插入SQL.

For example, you can cast variables to numeric data types before you interpolate them into your SQL.

或者，当可以声明一组可能允许的有限值时，您可以创建一个允许列表.如果您接受输入，请对照白名单进行检查.如果输入不在允许列表中，请不要将其用作SQL语句的一部分.

Or you can create an allowlist when it's possible to declare a limited set of values that may be allowed. If you accept input, check it against the whitelist. If the input is not in the allowlist, don't use it as part of your SQL statement.

我建议您向AWS Athena项目提供反馈，并询问他们何时在其JDBC驱动程序中提供对SQL查询参数的支持.通过 Athena-feedback@amazon.com

I recommend you give feedback to the AWS Athena project and ask them when they will provide support for SQL query parameters in their JDBC driver. Email them at Athena-feedback@amazon.com

另请参阅以下相关问题: AWS Athena JDBC PreparedStatement

See also this related question: AWS Athena JDBC PreparedStatement

这篇关于如何解决雅典娜的SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！