Advice on avoiding SQL injections using bind parameters for time

, ,
1

When using bind parameters with the time field, since parameters are json objects I can’t pass in anything else than numbers (epoch time ns). If I try now() I’ll get an invalid operation: time and *influxql.StringLiteral are not compatible error.

Some examples

Initialize a database:

InfluxDB shell version: 1.7.2
Enter an InfluxQL query
> create database test
> use test
Using database test
> insert m value=1

Using the HTTP api to query the data

Using epoch time is ok:

select * from m where time > 1547121619977014629
http://172.17.0.2:8086/query?db=test&q=select%20*%20from%20m%20where%20time%20%3E%20$time&params={%22time%22:1547121619977014629}`

However when using RFC3339 fromat, relative time or the now() function, the request will fail:

select * from m where time > '2019-01-10T13:04:43.061731728+01:00'
http://172.17.0.2:8086/query?db=test&q=select%20*%20from%20m%20where%20time%20%3E%20$time&params={%22time%22:%22%272019-01-10T13:04:43.061731728+01:00%27%22}

select * from m where time > now()-31d
http://172.17.0.2:8086/query?db=test&q=select%20*%20from%20m%20where%20time%20%3E%20$time&params={%22time%22:%22now()-31d%22}

Error:

{
	"results": [{
		"statement_id": 0,
		"error": "invalid operation: time and *influxql.StringLiteral are not compatible"
	}]
}

What is the correct way of passing the different time formats as bind parameters?
Is there a bind-like way for variables outside the where clause (e.g from ...)?