search

ghdna / athena-express

Athena-Express can simplify executing SQL queries in Amazon Athena AND fetching cleaned-up JSON results in the same synchronous or asynchronous request - well suited for web applications.
https://www.npmjs.com/package/athena-express
MIT License
181 stars 70 forks source link

Escaping parameters #25

Open fgheorghe opened 4 years ago

fgheorghe commented 4 years ago

Hi all

Apologies if this is not the right place to ask this, but I am wondering if there is straightforward way of adding parameter escaping for .quey()? Much like with other SQL implementations, Athena queries can also suffer from SQL injection, and as such, was wondering if athena-express should natively support bound parameters? Something like .query(sql, params), where sql = "SELECT * FROM table WHERE column = [?|:paramName]" and params is either an array of params to replace ? or an object with keys for param names (i.e.: {paramName: 'paramValue' }.

Edit: at the moment I am using https://www.npmjs.com/package/sqlstring, happy to issue a PR with native parameters support.

Regards, Flaviu

ghdna commented 4 years ago

Sure, please issue a PR with support and I'll look at it.

fgheorghe commented 4 years ago

Great - will work on it later this week. Regards!

fgheorghe commented 4 years ago

@ghdna sorry for the delay on this one, holidays got in the way.

Please find below a draft pull request: https://github.com/ghdna/athena-express/pull/31

I need to test it a bit more in the following days to make sure everything works fine. But the idea is to use a .query() second optional parameter or a query object key (described in the draft PR).

Adds a dependency on SqlString.

Please let me know what you think about the PR.

Edit: I will update code documentation to reflect the availability of named bound parameters as well as array bound params.