How can I protect Amazon SimpleDB from SQL Injection?

Question

Under the principle of "if it walks like a duck and it sounds like a duck," it sure seems like the SQL-flavored queries that Amazon's SimpleDB supports should be susceptible to SQL injection-type attacks. Here's a simple example that assumes the attacker's input is going into the variable $category, and that he can guess a column name:

$category = "Clothes' OR Category LIKE '%";
$results = $sdb->select("SELECT * FROM `{$domain}` WHERE Category = '$category'");

If you're playing the home game, these lines can be an in-place replacement for line 119 in the file html-sdb_create_domain_data.php in the sample code in Amazon's PHP SDK (1.2).

Amazon publishes quoting rules, and I suppose I could write something that ensures that any " or ' in user input gets doubled up... but I've always understood that escaping is basically an arms race, which makes parametrization my weapon of choice when using, for example, MySQL.

What are other people using to defend SimpleDB queries?

Answer 1

The SimpleDB Select operation is non destructive, so the only thing to protect against is extra query data going out to the attacker.

The solution to sanitize user input to the query is pretty easy with SimpleDB since sub-selects and compound statements are not allowed. So it's not really an arms race; sequences of one or more quote characters in the input must be escaped if the length of the sequence is odd.