Closed NoTuxNoBux closed 7 months ago
Query parameters are only supported with KQL Queries. Commands (anything that starts with a dot '.') do not have this mechanism implemented.
I understand, but I actually meant not just 'support query parameters' for all of these, but alternatively perhaps also expose some .NET methods that can aid with escaping when interpolating other things into queries.
Currently I'm just interpolating by using C# interpolation, but if I want to base values on user input, I'm left to do escaping myself based on what I think is correct, which is asking for an injection security problem sooner or later.
There is already a mechanism in place for using query parameters through the SDK, which is based on the
declare query_parameters
construct, if I understand correctly, which works as expected, but there appear to be some gaps where no (documented) utilities exist to escape and the existing parameters don't work where we have to resort to .NET interpolation with potential security risks:.set stored_query_result {escapedName} with (previewCount = 1, expiresAfter = {expiresAfterMinutes}m)
.append SomeTable with tags('[{myEscapedString}]') <| ...
The third one is especially relevant since tags cannot be passed when ingesting through streaming (#21) and other means of ingestion, such as through files, can be less appropriate for applications generating the data on demand.