This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย
- SnapLogic - Integration Nation
- Designing and Running Pipelines
- SQL Injection question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ03-26-2018 07:23 AM
Hi,
what is the mechanism in Snaplogic to prevent SQL injection, e.g. for Oracle.
Do snaps, e.g. Oracle select, prevent SQL injection?
Thanks
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ03-28-2018 11:06 AM
Hereโs some guidance for writing SQL for Snaps:
Simple Substitutions
If you need to use an input document value for a value in SQL, you can directly reference it with a JSON-Path. You do not need to make the property an expression. For example, to use the property โnameโ in the input document, you would write the following:
SELECT * FROM mytable WHERE name = $name
Donโt write something like the following, which would allow for a SQL injection:
"SELECT * FROM mytable WHERE name = \'" + $name + "'"
If you need to reference a pipeline parameter or do a simple transform with an expression, you can use the .eval() JSON-Path syntax, like so:
SELECT * FROM mytable WHERE id = $.eval(parseInt(_idToLookup))
Or, you can insert a Mapper snap upstream from the SQL snap and write an expression to put into the input document.
Dynamically constructing a SQL query
Unfortunately, you cannot use a path at all points in a query, so you will need to make the SQL property an expression in some cases. For example, if you need to pull the table name or column name from somewhere, then youโll need to use an expression. However, you should still be using paths for substituting values in the generated SQL. For example, if we wanted to parameterize the table name in the above query, you could do:
"SELECT * FROM " + $table + " WHERE name = $name"
The Snap will evaluate the expression and still do the path substitutions.
Details
The Snaps that support SQL will preprocess the query to extract any JSON-Paths and convert them to bound parameters. For example, in this query:
SELECT * FROM mytable WHERE name = $nameThe query is converted to something like the following before it is turned into a prepared statement for the DB:
SELECT * FROM mytable WHERE name = ?The Snap will then evaluate the JSON-Path to get the value to bind to the given parameter in the prepared statement.
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ03-28-2018 11:06 AM
Hereโs some guidance for writing SQL for Snaps:
Simple Substitutions
If you need to use an input document value for a value in SQL, you can directly reference it with a JSON-Path. You do not need to make the property an expression. For example, to use the property โnameโ in the input document, you would write the following:
SELECT * FROM mytable WHERE name = $name
Donโt write something like the following, which would allow for a SQL injection:
"SELECT * FROM mytable WHERE name = \'" + $name + "'"
If you need to reference a pipeline parameter or do a simple transform with an expression, you can use the .eval() JSON-Path syntax, like so:
SELECT * FROM mytable WHERE id = $.eval(parseInt(_idToLookup))
Or, you can insert a Mapper snap upstream from the SQL snap and write an expression to put into the input document.
Dynamically constructing a SQL query
Unfortunately, you cannot use a path at all points in a query, so you will need to make the SQL property an expression in some cases. For example, if you need to pull the table name or column name from somewhere, then youโll need to use an expression. However, you should still be using paths for substituting values in the generated SQL. For example, if we wanted to parameterize the table name in the above query, you could do:
"SELECT * FROM " + $table + " WHERE name = $name"
The Snap will evaluate the expression and still do the path substitutions.
Details
The Snaps that support SQL will preprocess the query to extract any JSON-Paths and convert them to bound parameters. For example, in this query:
SELECT * FROM mytable WHERE name = $nameThe query is converted to something like the following before it is turned into a prepared statement for the DB:
SELECT * FROM mytable WHERE name = ?The Snap will then evaluate the JSON-Path to get the value to bind to the given parameter in the prepared statement.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
โ04-02-2018 09:51 AM
Thanks so much, this is very helpful
Related Content
- Date.parse() & Daylight Saving Time in Designing and Running Pipelines
- Logging mechanism in order to get parent pipeline name in logging pipeline in Designing and Running Pipelines
- SnapLogic Metadata List - Get all projects in Designing and Running Pipelines
- SnapLogic Metadata Read - Parsing Question in Designing and Running Pipelines
- Azure Cosmos DB in Designing and Running Pipelines
