Avoiding SQL Injection attacks using procedures

SQL injections are a common security issue when users are given the freedom to construct their queries. One way to avoid them is by creating a custom procedure that acts as a wrapper, eliminating any risk of injection.
Here is an example procedure for filtering hand_on.cust view using country filter.

CREATE PROCEDURE hands_on.parametrizedQuery(IN filter_string STRING NOT NULL) RETURNS (City STRING NOT NULL, Company STRING NOT NULL) AS     BEGIN        DECLARE STRING sql_string = 'SELECT City, CompanyName FROM hands_on.cust WHERE hands_on.cust.country = DVARS.country';        EXECUTE IMMEDIATE sql_string AS City STRING, CompanyName STRING INTO #temptbl USING country=filter_string;        SELECT * FROM #temptbl;    END;;

You can call it using a CALL functionality

CALL hands_on.parametrizedQuery('China');;

Or, if the CALL is not available, you can query it like a table and specify the input variable name and value in a WHERE statement.

SELECT * from hands_on.parametrizedQuery where filter_string='China';;

Be the first to reply!

Reply

CData Software is a leading provider of data access and connectivity solutions. Our standards-based connectors streamline data access and insulate customers from the complexities of integrating with on-premise or cloud databases, SaaS, APIs, NoSQL, and Big Data.

Connect With Us

Get Started

Data Connectors

ETL/ ELT Solutions

Cloud & API Connectivity

OEM & Custom Drivers

Connect With Us

Get Started

Data Visualization

Company

News & Insights

Reply

Sign up

CData Community

Scanning file for viruses.

This file cannot be downloaded

Connect With Us

Connect With Us