Hello, We are using version 2.7 of the Couchbase-lite-ios in our application and through a security scan, some dynamic SQL queries were identified. Some of the findings are that our client side code is doing include:
- INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@', '%@', %@, '%u', '%lld') - CREATE TABLE "%@" (%@%@); - DELETE FROM "%@" WHERE %@ >From the description, it points out that these client-side SQL queries are populated at runtime via format strings and could be subject to SQL Injection. We are passing the strings from the application into the queryObject when we are building out the query through CBLQuery.buildQuery. In addition to ensuring our inputs are sanitized prior to building the query, I was wondering if the the CBLQueryBuilder has any additional guards against potential SQL Injection attacks? Also, are there other suggestions on how we can utilize CBLQuery safely? Please let me know if you require additional information. Thanks, Gary -- You received this message because you are subscribed to the Google Groups "Couchbase Mobile" group. To unsubscribe from this group and stop receiving emails from it, send an email to mobile-couchbase+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/mobile-couchbase/e3b24c64-fe1b-4292-a98c-af4b02780d31n%40googlegroups.com.