Well, the most vulnerabilities I can think of involve substitutions. For instance, suppose you had a GQL query that looked like this:
query = "SELECT * FROM photos where id=%s" % request.POST["photo_id"] (Apologies for mixing syntax, mind has been switching frameworks a lot) Then yes, a user *could* probably inject AND as well as ORDER properties (don't know how bad this is, though). However, if you're doing something like this: query = "SELECT * FROM photos where id=%s AND owner_id=%s" % (request.POST["photo_id"], session["user_id"] Let's say a user attempts to inject "?photo_id=1;" That would bork the parser and prevent this from happening. Maybe I'm wrong. It seems like it's a lot harder to do anything that could be damaging in GQL than SQL due to 1. Lack of "OR" operator (thanks Geoffrey), 2. Lack of a semicolon, 3. eager processing if the GQL query contains invalid syntax as a whole. All that being said, it's probably best to programmatically create your queries. -- Ikai Lan Developer Programs Engineer, Google App Engine Blogger: http://googleappengine.blogspot.com Reddit: http://www.reddit.com/r/appengine Twitter: http://twitter.com/app_engine On Mon, Nov 29, 2010 at 1:18 PM, Barry Hunter <[email protected]>wrote: > Not necessary, for example a SQL query like > > SELECT * FROM users WHERE username='$username' AND password='$password' > > A maliciousness user could enter a username and password like > > bla' OR '1' = '1 > > and end up logging you in as the first user - often an admin user. > because with naive string substition the query would be > > SELECT * FROM users WHERE username='bla' OR '1' = '1' AND > password='bla' OR '1' = '1' > > which on many databases would just match every row. That exact form > wouldnt work on GQL either, but pretty sure there would be similar > ones. > > > > On 29 November 2010 20:09, Ikai Lan (Google) > <[email protected]<ikai.l%[email protected]>> > wrote: > > Doesn't that require the SQL parser to understand semi-colons? GQL does > not. > > -- > > Ikai Lan > > Developer Programs Engineer, Google App Engine > > Blogger: http://googleappengine.blogspot.com > > Reddit: http://www.reddit.com/r/appengine > > Twitter: http://twitter.com/app_engine > > > > > > On Fri, Nov 26, 2010 at 6:41 AM, Barry Hunter <[email protected]> > > wrote: > >> > >> Even read-only SQL injection has its 'uses'. Ie. it can be used to > >> exploit 'SELECT's. > >> > >> For example, in some systems, depending on how login is implemented > >> its possible to use SQL injection to login as an admin user - to pick > >> one possible use. > >> > >> On 26 November 2010 13:38, Tim Hoffman <[email protected]> wrote: > >> > GQL is read only , so you can't inject anything if your using GQL, or > >> > for that matter Query objects. > >> > > >> > T > >> > > >> > On Nov 26, 8:37 pm, pdknsk <[email protected]> wrote: > >> >> And by clarify I mean verify. > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups "Google App Engine" group. > >> > To post to this group, send email to > [email protected]. > >> > To unsubscribe from this group, send email to > >> > [email protected]<google-appengine%[email protected]> > . > >> > For more options, visit this group at > >> > http://groups.google.com/group/google-appengine?hl=en. > >> > > >> > > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Google App Engine" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<google-appengine%[email protected]> > . > >> For more options, visit this group at > >> http://groups.google.com/group/google-appengine?hl=en. > >> > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-appengine%[email protected]> > . > > For more options, visit this group at > > http://groups.google.com/group/google-appengine?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
