Open yulingchen54 opened 6 years ago
Hi @yulingchen54,
Kundera does not use PreparedStatement to execute queries. CQL itself has some features which prevent injection. Features like:
You can write a custom function on query to check for other validations for injections that you think are possible in your application.
-Karthik
Thanks Karthik for the quick reply.
I did see the nativeQuery and other types of query support parameters settings. Would that be equivalent to the PreparedStatement variable binding? Now we observe that if we pass a single quote encased value in where clause, query will fail. If we use the parameter options in the nativeQuery, would that fix the issue?
Thanks, YuLing
B.T.W. Karthik, could it be possible for Kundera to support PreparedStatement provided from CQL down the road? PreparedStatement is recommended as the first defense solution to SQL injection from owasp:https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Thanks, YuLing
@yulingch
We don't have it in our road map as of now. we can think about it in future releases.
-Karthik
Hi All,
We would like to use Cassandra PreparedStatement via Kundera. However, I'm not sure if Kundera entityManager API uses PreparedStatement internally?
entityManager.find(entityClass, primaryKey)
Query query = entityManager.createNativeQuery(nativeQuery,entityClass);
The reason for us to use PreparedStatement is to avoid SQLInjection. How Kundera guarantee that it is not vulnerable to SQL Injection?
Thanks, YuLing