Since App Engine doesn't actually use SQL, does that mean that App Engine apps are immune from SQL injection attacks?
Asked
Active
Viewed 3,286 times
7
-
1If you can categorically state that App Engine does not use SQL anywhere (either directly through the front-end, or somewhere on the back-end) then it's immune to such attacks. Otherwise, who knows. – Will A Jun 02 '11 at 23:08
-
Are you referring to [Datastore](https://developers.google.com/appengine/docs/java/datastore/)? – Abel Callejo Jan 28 '14 at 11:54
2 Answers
10
Yes, they are both equally susceptible to injection attacks, provided you do something along the lines of concatenating user-inputs with the GQL string.
However, if you follow Google's best-practice suggestion of using parameters when inputting values in a GQL string, you should be fine with GQL. So instead of:
query = GqlQuery("SELECT * FROM Song WHERE composer = 'Lennon, John'")
you can use:
query = GqlQuery("SELECT * FROM Song WHERE composer = :1", "Lennon, John")
or:
query = GqlQuery("SELECT * FROM Song WHERE composer = :composer", composer="Lennon, John")
Additionally, you will avoid this problem entirely by using the Query class to generate the query.
yydl
- 24,284
- 16
- 65
- 104
2
Well no SQL==no SQL injection, by definition. :-)
But you could certainly do GQL injection, if the app is using GQL and naïvely sticking string literal values into queries without escaping. The damage you can do with that is less than some variants of SQL that let you ;-terminate the current query and begin a new one in the same string, but it's still potentially dangerous.
GQLQuery provides a simple built-in parameter binding mechanism, though (unlike some languages' default libraries...). So there's really no excuse to still be stuffing string literals into a query string.
bobince
- 528,062
- 107
- 651
- 834