Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is it safe to write GraphQL queries client-side?

Tags:

sql-injection

graphql

GraphQL was recently released, and it seems to encourage writing your queries client-side.

  1. What is it that makes it safe to write GraphQL queries client-side, but not SQL queries?
  2. Is GraphQL not subject to injections?
  3. If it's so useful to have your queries client-side, why not make a version of SQL not subject to injections?
like image 912
tybro0103 Avatar asked Aug 30 '15 01:08

tybro0103

People also ask

Is GraphQL client side?

Client-side GraphQL is a client-side infrastructure that interfaces with data from a GraphQL server to perform the following functions: It manages data by sending queries and mutating data without you having to construct HTTP requests all by yourself.

What is the significant benefit of using a GraphQL client library?

One major benefit of GraphQL is that it allows you to fetch and update data in a declarative manner. Put differently, we climb up one step higher on the API abstraction ladder and don't have to deal with low-level networking tasks ourselves anymore.

Why do we need GraphQL client?

Performance is the main reason to use a GraphQL client. Caches are generally used to speed things up. So, many assume that the primary benefit of Apollo Client or Relay comes from the fact that it is able to improve the performance of your application by lowering roundtrips.

Is GraphQL a security risk?

Applications using GraphQL are still prone to the same common vulnerabilities we all know and dread. It's up to the developer to properly validate and sanitize input to prevent malicious requests. For example, let's look at how we might exploit an OS command injection vulnerability via GraphQL.

1 Answers

Since this wasn't answered by the users who answered it in the slack channel, I'll post their answers.

  1. GraphQL queries are validated against a schema that was built explicitly to expose data to the client. SQL doesn't validate your query against anything other than the DB schema structure.
  2. In theory your GraphQL endpoint has some sort of security in place to validate the user is allowed to query the data at the starting point of their query. Once they are inside the Graph based schema, permissions are inherent to the graphQL schema definition, and injection wouldn't accomplish anything.
  3. Making a version of SQL that isn't subject to injection would involve some of the same validations that GraphQL does. Some sort of validation that all requested data/mutations are allowed. As quoted in the chat, "Injection isn't a problem inherent to SQL".

Answers credited to charlie and samwgoldman from the GraphQL/#general Slack chat.

like image 146
ahillman3 Avatar answered Oct 11 '22 17:10

ahillman3
Sign in to Comment

Related questions

Do I need to sanitize the user input Laravel
ColdFusion Security [closed]
Safely escape strings for SQL fragments for joins, limits, selects, and so on (not conditions) on Rails
Are there any differences between SQL Server and MySQL when it comes to preventing SQL injection?
Is mysql_real_escape_string() broken?
Where are ORM's vulnerable for SQL injection?
Valid Email Addresses - XSS and SQL Injection
Is sqlite3_bind_text sufficient to prevent SQL injection on the iPhone
how much safe from SQL-Injection if using hibernate
Showing custom error message on exception: A potentially dangerous Request.Form value was detected from the client
Are there any security vulnerabilities in this PHP code?
Successful SQL Injection despite PHP Magic Quotes
SQL Injection after removing all single-quotes and dash-characters
SQL Injection attack - What does this do?
rails 3 activerecord order - what is the proper sql injection work around?
Entity Framework + sql injection
How should I sanitize database input in Java?
When should I use prepared statements?
Prevent SQL injection attacks in a Java program
Is the @Query annotation in spring SQL Injection safe?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!