> On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.p...@gmail.com> wrote:
>
> Hello,
>
> I try to use the riak search java client, specifically the Search.Builder
> class, like the following
>
> Search search = new Search.Builder("test", "_yz_rb:accounts AND email:" +
> [user-email]).
>
>
>
> "[user-email]" is what user entered in the login form, my question is about
> sql injection, it seems like the java search client api doesn't prevent sql
> injection, are there any other api/methods that I can use to prevent this?
> Thank you
Hello Jason,
Search is not SQL; queries are specified in the Solr [1] query syntax so
they’re not vulnerable to a SQL injection attack, given the basis of a SQL
injection attack is to end a query and start a new one using unvalidated
syntax. While it’s not directly the same thing, in the same class of attacks
it’s possible for a user to add additional criteria to the query given the way
you’ve written your search query. I highly recommend you sanitize your inputs
before passing them to the query builder.
- Chris
[1] https://wiki.apache.org/solr/SolrQuerySyntax
Christopher Meiklejohn
Senior Software Engineer
Basho Technologies, Inc.
cmeiklej...@basho.com
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
