Default Implementation allows for SQL injection

[pgaschuetz]

Hi,

I've just been looking at this and believe - without testing - that your default implementation is actually prone for SQL injection:

• When configured with the integration Servlet Filter, a http header could be provided,
• this is in turn converted to a Tenant using the DefaultProvider,
• which simply sets the Identity to the provided value.
• The SwitchingDatasource then simply uses getIdentity().toString() as a database name.

DatabaseMetaData.getIdentifierQuoteString() might be a possible candidate for a solution, or at least throw an exception if the databasename contains the quote character.

Best Philipp

[ghost]

Thanks for pointing out this issue Philipp. As you point out the implementation should either ensure that special characters are properly encoded, disallow special characters, or use a prepared statement with parameters instead of using the string directly in the SQL.