i8oell
Reputation: 31
How to protect against SQL Injection with pandas read_gbq
How do I use pandas_gbq.read_gbq safely to protect against SQL Injections as I cannot in the docs find a way to parametrize it
I've looked at the docs at a way to parametrize as well as googles website and other sources.
df_valid = read_gbq(QUERY_INFO.format(variable), project_id='project-1622', location='EU') Where query looks like SELECT name, date FROM table WHERE id = '{0}'
I can input p' or '1'='1 and it works
Upvotes: 2
Views: 1067
Answers (1)
Parfait
Reputation: 107687
Per Google BigQuery docs, you have to use a specified configuration with SQL parameterized statement:
import pandas as pd
sql = "SELECT name, date FROM table WHERE id = @id"
query_config = {
'query': {
'parameterMode': 'NAMED',
'queryParameters': [
{
'name': 'id',
'parameterType': {'type': 'STRING'},
'parameterValue': {'value': 1}
}
]
}
}
df = pd.read_gbq(sql, project_id='project-1622', location='EU', configuration=query_config)
Upvotes: 2
Related Questions
- Pandas GenericGBQException
- 400 Error while reading data using pandas to_gbq to create a table in Google BigQuery
- Am I at risk for SQL injection in BigQuery?
- Prevent SQL Injection in BigQuery with Python for table name
- Error with inserting data into BigQuery table
- How to avoid pd.read_gbq from accessing wrong email to access big query
- Pandas read_gbq not working correctly?
- Python BigQuery allowLargeResults with pandas.io.gbq
- pandas read_gbq returns httplib.ResponseNotReady
- How to stop SQL Injection in Google Cloud SQL?