Hello,
We are using version 2.7 of the Couchbase-lite-ios in our application and
through a security scan, some dynamic SQL queries were identified. Some of
the findings are that our client side code is doing include:
-
INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@',
'%@', '%@', %@, '%u', '%lld')
-
CREATE TABLE "%@" (%@%@);
- DELETE FROM "%@" WHERE %@
>From the description, it points out that these client-side SQL queries are
populated at runtime via format strings and could be subject to SQL
Injection.
We are passing the strings from the application into the queryObject when
we are building out the query through CBLQuery.buildQuery.
In addition to ensuring our inputs are sanitized prior to building the
query, I was wondering if the the CBLQueryBuilder has any additional guards
against potential SQL Injection attacks? Also, are there other suggestions
on how we can utilize CBLQuery safely? Please let me know if you require
additional information.
Thanks,
Gary
--
You received this message because you are subscribed to the Google Groups
"Couchbase Mobile" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/mobile-couchbase/e3b24c64-fe1b-4292-a98c-af4b02780d31n%40googlegroups.com.
