I created an AWS Lambda function that fetches data from an RDS (Postgres) and returns it as json via an API Gateway (url). The url accepts 3 GET parameters which are used to filter the data based on the user needs.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
My question is, how safe is (in terms of attacks like SQL Injection etc.) to share the URL to developers who want to see my data? The idea is to use this infrastructure as a temporary API alternative, to gather up usage feedback.
If you're trying to mitigate SQL injection specifically, you just need to ensure that your code makes use of parameterized queries. If you're concatenating strings to build a SQL query, you're likely vulnerable to SQL injection. Even with character filtering and escaping you can often still wind up vulnerable to SQL injection, so you should make sure to use a library that supports parameterized queries out of the box.
Based off your history, it seems you use PHP. For Postgres PHP has pg_prepare which is safe from SQL injection: https://www.php.net/manual/en/function.pg-prepare.php
