Protection against query injection?

influxdb
#1

I am using a user’s input to create a query string, and post it to my InfluxDb.

For example, I can have this query string:

“SELECT * FROM MyMeasurement WHERE FOO=BAR”

Where “BAR” is a parameter passed by the user. However, there doesn’t seem to be any protection if I replace “BAR” with “BAR; DROP MEASUREMENT MyMeasurement”. My InfluxDb code is not safe from Bobby Tables. Luckily, this code isn’t running on production yet.

So my question: does InfluxDb offer any kind of protection against this sort of behaviour? For example, can I set it to only allow 1 query per POST request? Or is there some sort of parameterized query system?

#2

Check out bind parameters in the /query HTTP endpoint.

#3

I opened an issue on our docs repo to add a working example of bind parameters. Pull requests welcome!

#4

Thanks @mark ! I read the entire page on how to query data here:

But that page makes no mention of bind parameters. I’m not sure if I can edit the page (like with Wikipedia), but maybe it’s a nice thing to mention there. I can’t see any situation where you don’t want to use parameters as a developer when using user input in your queries. No sane developer wants to use user input directly in their queries, or attempt to sanitize input themselves. That’s what parameters are for!

#5

The guide pages typically give a more brief overview compared to the API documentation, but it seems reasonable to mention bind parameters on the querying guide.

Feel free to either open a new issue on docs or edit the query guide and open a pull request.