Reputation: 965
Is this sufficient to sanitise a user supplied SQL query?
I want to allow SELECT queries to my database, but do not want to allow updates (or drops!).
Is it sufficient to ensure the query starts with SELECT and does not contain a semicolon?
I am using jdbc to execute the query, currently against MySQL, but hope not to limit it to that.
Edit: I appreciate the caution of using a user who cannot update, but want to know if that is necessary, rather than just superstitious.
Upvotes: 1
Views: 101
Answers (2)
Reputation: 562661
You must not execute code submitted by users. Allowing users to submit code is a great way to open yourself up to a denial of service attack, at the very least. For example, an attacker could easily submit a query with a huge Cartesian product guaranteed to bring down your server.
You can safely allow users to specify values, but not code. Then combine the values they enter into your SQL queries by using prepared statements with parameters.
Allowing users to submit SQL queries is as dangerous as shellexec($_GET["cmd"]);
Upvotes: 1
Reputation: 2236
A better way to go about this is to create a new account and allow the account certain commands.
Upvotes: 3
Related Questions
- Sanitizing user-provided SQL with Python?
- Is hexing input sufficient to sanitize SQL Queries?
- Does sanitizing data eliminate the possibility of SQL injection?
- Do we need to sanitize data when a stored procedure is used?
- "Sanitizing" arbitrary SQL using inner SELECT queries?
- Is this sanitization unsafe? Is it vulnerable to SQL Injection?
- Do SQL LIKE queries require any special attention when it comes to sanitising data?
- Should I sanitize inputs to a parametrized query?
- Input Sanitation Best Practices
- Are input sanitization and parameterized queries mutually exclusive?