Is a Google App Engine app susceptible to SQL injection attacks?

Question

Since App Engine doesn't actually use SQL, does that mean that App Engine apps are immune from SQL injection attacks?

Answer 1

Yes, they are both equally susceptible to injection attacks, provided you do something along the lines of concatenating user-inputs with the GQL string.

However, if you follow Google's best-practice suggestion of using parameters when inputting values in a GQL string, you should be fine with GQL. So instead of:

query = GqlQuery("SELECT * FROM Song WHERE composer = 'Lennon, John'")

you can use:

query = GqlQuery("SELECT * FROM Song WHERE composer = :1", "Lennon, John")

or:

query = GqlQuery("SELECT * FROM Song WHERE composer = :composer", composer="Lennon, John")

Additionally, you will avoid this problem entirely by using the Query class to generate the query.

Answer 2

Well no SQL==no SQL injection, by definition. :-)

But you could certainly do GQL injection, if the app is using GQL and naïvely sticking string literal values into queries without escaping. The damage you can do with that is less than some variants of SQL that let you ;-terminate the current query and begin a new one in the same string, but it's still potentially dangerous.

GQLQuery provides a simple built-in parameter binding mechanism, though (unlike some languages' default libraries...). So there's really no excuse to still be stuffing string literals into a query string.