问题描述
我正在为我们的网站编写一些 Google Big-query
动态报告实用程序,这将允许用户选择要在查询中替换的参数.鉴于此查询模板":
I'm writing some Google Big-query
dynamic reporting utilities to our website, that will allow users to select a parameter to be replaced in the query. Given this query "template":
SELECT name ,
birthday
FROM [dataset.users]
WHERE registration_date = '{{registration_date}}'
我们从用户那里获取 {{registration_date}} 值并在模板中替换它,从而产生一个查询:
we take the {{registration_date}} value from the user and replace it in the template, resulting in a query:
SELECT name ,
birthday
FROM [dataset.users]
WHERE registration_date = '2013-11-11'
鉴于我正在使用 Google Big-query
客户端 API 执行查询,我如何在这种情况下防止 sql-injection
之类的攻击,并且该 API 不允许像在传统 RDBMS
api 上那样使用定位参数.
How I can prevent sql-injection
like attacks in this scenario, given that I'm executing the queries using the Google Big-query
client API,and the API don't allow one to use positioned parameters as on traditional RDBMS
apis.
推荐答案
在 OWASP 中选中防御选项 3:转义所有用户提供的输入":
Check "Defense Option 3: Escaping All User Supplied Input" in OWASP:
更新:参数化查询现在是一种选择
UPDATE: Parametrized queries are an option now
这篇关于如何防止 Google Big Query 上的查询注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!