Thanks. Looks like it is in the Solr ClientUtils.java class. Now need to decide whether to import solr into client code or dup the function.
Jason On Mon, Mar 23, 2015 at 2:59 PM, Alexander Sicular <[email protected]> wrote: > I'll second what Chris said. Afaik, Solr does not solve this problem for > you. Riak won't either. I just googled for "sanitize solr query inputs in > java" and there are quite a few hits. I'd use that as a starting point but > I'm a bit surprised there isn't a lib somewhere that makes this a non > problem... > > -Alexander > > > @siculars > http://siculars.posthaven.com > > Sent from my iRotaryPhone > > On Mar 23, 2015, at 13:43, Jason W <[email protected]> wrote: > > Thanks Chris. I meant the query injection. Was really looking for an api > that takes parametrized query in risk java client, do you know whether solr > provides that? It would not be a easy task to do a 100% secure santize > function, the above query is really just a simple use case. > > Jason > > On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn < > [email protected]> wrote: > >> >> > On Mar 22, 2015, at 7:03 PM, Jason W <[email protected]> wrote: >> > >> > Hello, >> > >> > I try to use the riak search java client, specifically the >> Search.Builder class, like the following >> > >> > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" >> + [user-email]). >> > >> > >> > >> > "[user-email]" is what user entered in the login form, my question is >> about sql injection, it seems like the java search client api doesn't >> prevent sql injection, are there any other api/methods that I can use to >> prevent this? Thank you >> >> Hello Jason, >> >> Search is not SQL; queries are specified in the Solr [1] query syntax so >> they’re not vulnerable to a SQL injection attack, given the basis of a SQL >> injection attack is to end a query and start a new one using unvalidated >> syntax. While it’s not directly the same thing, in the same class of >> attacks it’s possible for a user to add additional criteria to the query >> given the way you’ve written your search query. I highly recommend you >> sanitize your inputs before passing them to the query builder. >> >> - Chris >> >> [1] https://wiki.apache.org/solr/SolrQuerySyntax >> >> Christopher Meiklejohn >> Senior Software Engineer >> Basho Technologies, Inc. >> [email protected] > > > _______________________________________________ > riak-users mailing list > [email protected] > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com > >
_______________________________________________ riak-users mailing list [email protected] http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
