I'll second what Chris said. Afaik, Solr does not solve this problem for you. Riak won't either. I just googled for "sanitize solr query inputs in java" and there are quite a few hits. I'd use that as a starting point but I'm a bit surprised there isn't a lib somewhere that makes this a non problem...
-Alexander @siculars http://siculars.posthaven.com Sent from my iRotaryPhone > On Mar 23, 2015, at 13:43, Jason W <jason.w.p...@gmail.com> wrote: > > Thanks Chris. I meant the query injection. Was really looking for an api > that takes parametrized query in risk java client, do you know whether solr > provides that? It would not be a easy task to do a 100% secure santize > function, the above query is really just a simple use case. > > Jason > >> On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn >> <cmeiklej...@basho.com> wrote: >> >> > On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.p...@gmail.com> wrote: >> > >> > Hello, >> > >> > I try to use the riak search java client, specifically the Search.Builder >> > class, like the following >> > >> > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" + >> > [user-email]). >> > >> > >> > >> > "[user-email]" is what user entered in the login form, my question is >> > about sql injection, it seems like the java search client api doesn't >> > prevent sql injection, are there any other api/methods that I can use to >> > prevent this? Thank you >> >> Hello Jason, >> >> Search is not SQL; queries are specified in the Solr [1] query syntax so >> they’re not vulnerable to a SQL injection attack, given the basis of a SQL >> injection attack is to end a query and start a new one using unvalidated >> syntax. While it’s not directly the same thing, in the same class of >> attacks it’s possible for a user to add additional criteria to the query >> given the way you’ve written your search query. I highly recommend you >> sanitize your inputs before passing them to the query builder. >> >> - Chris >> >> [1] https://wiki.apache.org/solr/SolrQuerySyntax >> >> Christopher Meiklejohn >> Senior Software Engineer >> Basho Technologies, Inc. >> cmeiklej...@basho.com > > _______________________________________________ > riak-users mailing list > riak-users@lists.basho.com > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
