I'm writing some Google Big-query dynamic reporting utilities to our website, that will allow users to select a parameter to be replaced in the query. Given this query "template":
SELECT name ,
birthday
FROM [dataset.users]
WHERE registration_date = '{{registration_date}}'
we take the {{registration_date}} value from the user and replace it in the template, resulting in a query:
SELECT name ,
birthday
FROM [dataset.users]
WHERE registration_date = '2013-11-11'
How I can prevent sql-injection like attacks in this scenario, given that I'm executing the queries using the Google Big-query client API,
and the API don't allow one to use positioned parameters as on traditional RDBMS apis.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
