Closed wvmarle closed 12 years ago
uskudnik
commented
12 years ago Based on http://stackoverflow.com/questions/4446919/how-can-i-protect-amazon-simpledb-from-sql-injection, this is not a problem, especially since we only show a couple of returned parameters.
Another solution is to simply double every quote.
So not allowing is not necessary I guess, though it might be a good idea? Although I can see a case of " or ' showing up for description or filename...
wvmarle
commented
12 years ago Thanks. I was sure there was some way but couldn't find it (and the common backslash escape didn't work).
So what we have to do: for quotes in the SQL statement use the double quote (", SQL standard) and then double up all double quotes that appear inside the user input.
That should do the job. I didn't like to disallow it either.
wvmarle
commented
12 years ago Easy fix now I know how it has to be done :-)
It's in the pull request; closing this issue.
Setting up search I found an interesting issue: quoting.
For safe db access, search terms should be quoted. So that every ' becomes \'. Otherwise bad things happen when someone searches for something like:
'; drop * from tableJust your regular SQL injection.But when doing this, queries to SimpleDB break: it's apparently not allowed to add quoted characters. Normal quotes like ' and " of course cause problems. My solution is now to simply reject search terms that contain quote characters.
Any solution for this? Or just not allow searching with such characters?