riak search java client - sql injection

Christopher Meiklejohn cmeiklejohn at basho.com
Mon Mar 23 13:49:36 EDT 2015


> On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.prog at gmail.com> wrote:
> 
> Hello,
> 
> I try to use the riak search java client, specifically the Search.Builder class, like the following 
> 
> Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" + [user-email]).
> 
> 
> 
> "[user-email]" is what user entered in the login form, my question is about sql injection, it seems like the java search client api doesn't prevent sql injection, are there any other api/methods that I can use to prevent this?  Thank you

Hello Jason,

Search is not SQL; queries are specified in the Solr [1] query syntax so they’re not vulnerable to a SQL injection attack, given the basis of a SQL injection attack is to end a query and start a new one using unvalidated syntax.  While it’s not directly the same thing, in the same class of attacks it’s possible for a user to add additional criteria to the query given the way you’ve written your search query.  I highly recommend you sanitize your inputs before passing them to the query builder.

- Chris

[1] https://wiki.apache.org/solr/SolrQuerySyntax

Christopher Meiklejohn
Senior Software Engineer
Basho Technologies, Inc.
cmeiklejohn at basho.com



More information about the riak-users mailing list