19492

How can I protect Amazon SimpleDB from SQL Injection?

Question:

Under the principle of "if it walks like a duck and it sounds like a duck," it sure seems like the SQL-flavored queries that Amazon's SimpleDB supports should be susceptible to SQL injection-type attacks. Here's a simple example that assumes the attacker's input is going into the variable $category, and that he can guess a column name:

$category = "Clothes' OR Category LIKE '%"; $results = $sdb->select("SELECT * FROM `{$domain}` WHERE Category = '$category'");

If you're playing the home game, these lines can be an in-place replacement for line 119 in the file html-sdb_create_domain_data.php in the sample code in Amazon's PHP SDK (1.2).

Amazon publishes <a href="http://docs.amazonwebservices.com/AmazonSimpleDB/latest/DeveloperGuide/index.html?UsingSelect.html" rel="nofollow">quoting rules</a>, and I suppose I could write something that ensures that any " or ' in user input gets doubled up... but I've always understood that escaping is basically an arms race, which makes parametrization my weapon of choice when using, for example, MySQL.

What are other people using to defend SimpleDB queries?

Answer1:

The SimpleDB Select operation is non destructive, so the only thing to protect against is extra query data going out to the attacker.

The solution to sanitize user input to the query is pretty easy with SimpleDB since sub-selects and compound statements are not allowed. So it's not really an arms race; sequences of one or more quote characters in the input must be escaped if the length of the sequence is odd.

Recommend

  • c: when using a pointer as input in a function incrementing the pointers value by using *pointer++ d
  • Get the user who clicked on the button in the spreadsheet
  • Adjusting size of in app screenshot
  • Question mark placeholder
  • Deploy WAR file in Tomcat, Issue after Deployment
  • How to add volume slider to android action bar?
  • How to build executable with pyinstaller that uses pycryptodome?
  • How to use InjectTouchInput for specific window?
  • How to display asterisk for input in Java? [duplicate]
  • How to use CoreFoundation in QuickTime SDK for Windows?
  • Python List of Tuples (Find value with key + check if exist)
  • iOS App crash issue `[UIWindow warpPoint:]`
  • Shrinking Bootstrap Navbar with logo on scroll
  • Execute powershell script on a remote computer using C#
  • In metro, get all inherited classes of an (abstract) class?
  • Unity Resources.load() won't work with external dll
  • Circular Left Rotation Algorithm in C#
  • Optimization of optim() in R ( L-BFGS-B needs finite values of 'fn')
  • opencv deskewing a contour
  • What does “T extends Junk” mean in a generic class in Java?
  • How to change the host IP sent in emails to new GitLab users to a publicly visible IP, not the local
  • How to use array in autohotkey?
  • How to redirect into different page by user type in php and mysql
  • What is the difference between dynamically creating a script tag and statically embed a script tag?
  • Regex not working in java 1.5
  • Problems to understand DXGI DirectX 11 Desktop Duplication to get a Buffer or Array
  • how do i compare two rows and store the similarities of the two rows in another column
  • Using redis as an LRU cache for postgres
  • Bad automatic Triangulation with Mayavi for coloring a surface known only by its corner
  • PHP Permalinks.. how to change?
  • media foundation H264 decoder not working properly
  • Running R's aov() mixed effects model from Python using rpy2
  • Access to a Matlab gui from the web