Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is a Google App Engine app susceptible to SQL injection attacks?

Since App Engine doesn't actually use SQL, does that mean that App Engine apps are immune from SQL injection attacks?

like image 673
Tyrone Avatar asked Jun 02 '11 23:06

Tyrone


2 Answers

Yes, they are both equally susceptible to injection attacks, provided you do something along the lines of concatenating user-inputs with the GQL string.

However, if you follow Google's best-practice suggestion of using parameters when inputting values in a GQL string, you should be fine with GQL. So instead of:

query = GqlQuery("SELECT * FROM Song WHERE composer = 'Lennon, John'")

you can use:

query = GqlQuery("SELECT * FROM Song WHERE composer = :1", "Lennon, John")

or:

query = GqlQuery("SELECT * FROM Song WHERE composer = :composer", composer="Lennon, John")

Additionally, you will avoid this problem entirely by using the Query class to generate the query.

like image 98
yydl Avatar answered Sep 29 '22 10:09

yydl


Well no SQL==no SQL injection, by definition. :-)

But you could certainly do GQL injection, if the app is using GQL and naïvely sticking string literal values into queries without escaping. The damage you can do with that is less than some variants of SQL that let you ;-terminate the current query and begin a new one in the same string, but it's still potentially dangerous.

GQLQuery provides a simple built-in parameter binding mechanism, though (unlike some languages' default libraries...). So there's really no excuse to still be stuffing string literals into a query string.

like image 45
bobince Avatar answered Sep 29 '22 11:09

bobince