Is Google App Engine susceptible to SQL injection attacks?

Question

Is Google App Engine susceptible to SQL injection attacks?

Since App Engine does not actually use SQL, does this mean that App Engine applications are not protected against SQL injection attacks?

+7

security sql google-app-engine sql-injection

Tyrone Jun 2 '11 at 23:04

source share

3 answers

yydl · Answer 1 · 2011-06-02T23:16:44+0000

Yes, they are both equally susceptible to injection attacks if you do something in accordance with concatenating user inputs using a GQL string.

However, if you follow Google’s guidelines for using parameters when entering values in a GQL string, you should be fine with GQL. Therefore, instead of:

query = GqlQuery("SELECT * FROM Song WHERE composer = 'Lennon, John'")

you can use:

 query = GqlQuery("SELECT * FROM Song WHERE composer = :1", "Lennon, John")

or

 query = GqlQuery("SELECT * FROM Song WHERE composer = :composer", composer="Lennon, John")

In addition, you completely avoid this problem by using the request class to generate the request.

bobince · Answer 2 · 2011-06-02T23:13:52+0000

Well, no SQL == no SQL injection, by definition. :-)

But you, of course, can do a GQL injection if the application uses GQL and naively pastes string literals into queries without escaping. The damage you can do with this is less than some SQL options that allow you ; - complete the current request and start a new one on the same line, but it is still potentially dangerous.

GQLQuery provides a simple built-in parameter binding mechanism, though (unlike the default libraries of some languages ...). Thus, there is really no excuse to still enter string literals in the query string.

ajitomatix · Answer 3 · 2011-06-02T23:12:28+0000

See this question for a discussion of application engine security. In general, you should use parameter binding to generate any type of request.

Is Google App Engine susceptible to SQL injection attacks?

More articles: