I am using epgsql(https://github.com/epgsql/epgsql) lib which allows writing queries like this:

  "INSERT INTO my_table"
  "(item_id, json_data) "
  "VALUES ($1, $2) "
  "ON CONFLICT "
  "DO NOTHING "
  "RETURNING *;",

And then call such queries with different parameters. In general, we expect a wide range of incoming data without any pre-defined format. The only thing we expect is that it's a JSON of the following format: {"field_name": "long value from the user with a potential injection of the SQL code I need to be protected from"}

The question I am having is how do I protect the query from something bad. E.g. that someone enters something like ; DROP table ... --- or anything like that?

CodePudding user response：

In the situation when you provide a service for DB queries really very hard to do a call cleanup.

Only one option coming to my mind:

Normalise the incoming command with upper case, removing of double-spaces, split a command into ";"-lines etc. and then you can potentially do a dictionary search for text as "DROP TABLE…" or "DELETE FROM…" to mark command as a dangerous and prevent execution, other cases can be also provided, but this creates a knowledge base to be maintained.

CodePudding user response：

I think you have to write it by yourself considering other language's implementation.