Thanks Chris. I meant the query injection. Was really looking for an api that takes parametrized query in risk java client, do you know whether solr provides that? It would not be a easy task to do a 100% secure santize function, the above query is really just a simple use case.
Jason On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn < [email protected]> wrote: > > > On Mar 22, 2015, at 7:03 PM, Jason W <[email protected]> wrote: > > > > Hello, > > > > I try to use the riak search java client, specifically the > Search.Builder class, like the following > > > > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" > + [user-email]). > > > > > > > > "[user-email]" is what user entered in the login form, my question is > about sql injection, it seems like the java search client api doesn't > prevent sql injection, are there any other api/methods that I can use to > prevent this? Thank you > > Hello Jason, > > Search is not SQL; queries are specified in the Solr [1] query syntax so > they’re not vulnerable to a SQL injection attack, given the basis of a SQL > injection attack is to end a query and start a new one using unvalidated > syntax. While it’s not directly the same thing, in the same class of > attacks it’s possible for a user to add additional criteria to the query > given the way you’ve written your search query. I highly recommend you > sanitize your inputs before passing them to the query builder. > > - Chris > > [1] https://wiki.apache.org/solr/SolrQuerySyntax > > Christopher Meiklejohn > Senior Software Engineer > Basho Technologies, Inc. > [email protected]
_______________________________________________ riak-users mailing list [email protected] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
