Sunday 15 March 2015

security - Does using non-SQL databases obviate the need for guarding against "SQL injection"? -


This may sound like a clear (or not so obvious) question, but let me explain how Google's database technology, I'm coding a Google App Engine site using BigTable. Any app engine coders will know that Google has its own limited query language that is called GQL. As a result, I do not want to do any investigation for the SQL (or GQL) injection in my app because I believe that Google is not using a raw string query on its backend methods to get the data.

In addition to this, libraries seem to end the need to see if there is a malicious user database manipulation command injection, for DB technologies such as CouchDB, Mangaodi, and other objects or documents (aka NoCQL) Whether or not it is doing They often have libraries that map the objects directly to the objects in their preferred language. I know that there are several SQL libraries which do it properly, but I think that at some level they are adding parameters to run a query on a string, and thus I still have to use SQL along with those frameworks Injection protection should be used.

Am I short-sighted? Or is it just a matter of time until the next great DB system is captured and then I see the injection in those systems?

"injection" holes text reference is to do with mismatch every time you make a string of text strings In another reference, you have to encode to fit the changing reference. Strangely strings, together with a clear eye-blindness, seem simple, but the difficulty of string processing is confusing.

Due to purely object-based interfaces, the database is immunized with injection vulnerabilities, such as parameterized queries are in SQL

but none of them has GQ in particular. This is a string query language, and if you add untrusted unloaded content to a query like "WHERE title = '% s'"% title ", then you are just as weak as you would like full- On SQL It may be that limited capabilities of GVL have made it more difficult to take advantage of the application to fully compromise, but it is certainly not impossible at all, and in the best case your application is still wrong and When people will attempt to use apostrophes legally. / P>

There is a parameter binding interface in GQ. I use it. Resist the attraction of string hacking.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)