Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Introducing Qlik Answers: A plug-and-play, Generative AI powered RAG solution. READ ALL ABOUT IT!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
PhilHibbs
Creator II
Creator II
‎2020-01-10 06:48 AM

SQL Injection Defence

Are there any tools in Talend to protect against SQL injection attacks? Something like the PostgreSQL functions quote_literal and quote_ident functions.

 

I found a question from 2013 that doesn't have a satisfactory answer, seems baffling to me that this isn't standard functionality as rolling your own security is never a great idea.

 

I need to do this on Hive, which I don't think has prepared statements. Actually this isn't a pressing need right now, my strings are built by splitting on anything non-alphabetical so can't contain syntax, but I want to be prepared in case I need to query based on arbitrary input.

 

Yours sincerely,

Phil';drop table users;-- Hibbs

Labels (2)
Labels
116 Views
0 Likes
1 Reply
Anonymous
Not applicable
‎2020-01-10 07:39 AM

Talend Big Data isn't a user facing application. It is intended to be used by experienced developers to build back-end functionality. While I understand that sometimes that functionality will work based on inputs from users, I am not quite sure how automatic protection could be applied that wouldn't inhibit legitimate use cases that might require users to be able to supply their own SQL. Who says that "'1234' Union Select column from Table WHERE SomeRequirement ='something'" isn't a legitimate response to a WHERE Clause? Unlikely, granted. But developers being able to ensure safety here is as important as preventing NullPointerException scenarios. 

116 Views
0 Likes