riak search java client - sql injection

Jason W jason.w.prog at gmail.com
Mon Mar 23 14:43:31 EDT 2015


Thanks Chris.  I meant the query injection.  Was really looking for an api
that takes parametrized query in risk java client, do you know whether solr
provides that?  It would not be a easy task to do a 100% secure santize
function, the above query is really just a simple use case.

Jason

On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn <
cmeiklejohn at basho.com> wrote:

>
> > On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.prog at gmail.com> wrote:
> >
> > Hello,
> >
> > I try to use the riak search java client, specifically the
> Search.Builder class, like the following
> >
> > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:"
> + [user-email]).
> >
> >
> >
> > "[user-email]" is what user entered in the login form, my question is
> about sql injection, it seems like the java search client api doesn't
> prevent sql injection, are there any other api/methods that I can use to
> prevent this?  Thank you
>
> Hello Jason,
>
> Search is not SQL; queries are specified in the Solr [1] query syntax so
> they’re not vulnerable to a SQL injection attack, given the basis of a SQL
> injection attack is to end a query and start a new one using unvalidated
> syntax.  While it’s not directly the same thing, in the same class of
> attacks it’s possible for a user to add additional criteria to the query
> given the way you’ve written your search query.  I highly recommend you
> sanitize your inputs before passing them to the query builder.
>
> - Chris
>
> [1] https://wiki.apache.org/solr/SolrQuerySyntax
>
> Christopher Meiklejohn
> Senior Software Engineer
> Basho Technologies, Inc.
> cmeiklejohn at basho.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150323/73cb52e9/attachment-0002.html>


More information about the riak-users mailing list