Question | SQL injection

Question

Question | SQL injection

Closed this issue 7 years ago · 4 comments

Nirlah commented 10 years ago

Hi,

What is the preferred method to prevent SQL injections using this library?

Thanks 😀

Answer 1 · 2015-02-04T21:29:26.000Z

In the next version of OrientDB it should be present.

Answer 2 · 2015-05-12T15:23:27.000Z

I believe OrientDB only supports client side prepared statements at the moment, is this correct? The NodeJS library appears to be encoding the values on the client side as well.

We're using 2.1.

References:
https://github.com/codemix/oriento/blob/master/lib/transport/binary/protocol28/operations/command.js
https://github.com/orientechnologies/orientdb/blob/master/core/src/main/java/com/orientechnologies/orient/core/sql/OCommandExecutorSQLSelect.java

Answer 3 · 2015-05-13T15:31:26.000Z

Tes @cqcwillard , you're right.

There are no way to perform prepared statement and server side sanitization like PDO and MySQL does.

I'm planning to add a PDO like interface to this driver and implement client side the prepared statement object.

Answer 4 · 2017-06-03T03:21:56.000Z

I was really excited to try out OrientDB. This is pretty much a non-starter for me though. Security features are super important, they should be supported server side and not reimplemented in each client.