riak search java client - sql injection

Alexander Sicular siculars at gmail.com
Mon Mar 23 14:59:11 EDT 2015


I'll second what Chris said. Afaik, Solr does not solve this problem for you. Riak won't either. I just googled for "sanitize solr query inputs in java" and there are quite a few hits. I'd use that as a starting point but I'm a bit surprised there isn't a lib somewhere that makes this a non problem...

-Alexander 


@siculars
http://siculars.posthaven.com

Sent from my iRotaryPhone

> On Mar 23, 2015, at 13:43, Jason W <jason.w.prog at gmail.com> wrote:
> 
> Thanks Chris.  I meant the query injection.  Was really looking for an api that takes parametrized query in risk java client, do you know whether solr provides that?  It would not be a easy task to do a 100% secure santize function, the above query is really just a simple use case.
> 
> Jason
> 
>> On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn <cmeiklejohn at basho.com> wrote:
>> 
>> > On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.prog at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > I try to use the riak search java client, specifically the Search.Builder class, like the following
>> >
>> > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" + [user-email]).
>> >
>> >
>> >
>> > "[user-email]" is what user entered in the login form, my question is about sql injection, it seems like the java search client api doesn't prevent sql injection, are there any other api/methods that I can use to prevent this?  Thank you
>> 
>> Hello Jason,
>> 
>> Search is not SQL; queries are specified in the Solr [1] query syntax so they’re not vulnerable to a SQL injection attack, given the basis of a SQL injection attack is to end a query and start a new one using unvalidated syntax.  While it’s not directly the same thing, in the same class of attacks it’s possible for a user to add additional criteria to the query given the way you’ve written your search query.  I highly recommend you sanitize your inputs before passing them to the query builder.
>> 
>> - Chris
>> 
>> [1] https://wiki.apache.org/solr/SolrQuerySyntax
>> 
>> Christopher Meiklejohn
>> Senior Software Engineer
>> Basho Technologies, Inc.
>> cmeiklejohn at basho.com
> 
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150323/8fd05574/attachment-0002.html>


More information about the riak-users mailing list