You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This project really looks promising! I have one thing I think should be changed: the SQL Endpoint does not seem to support parameters - at least it's not documented. That encourages users to create their SQL by using string concatenation which is not good from a security perspective (SQL injection). I propose to either use JSON Body:
{
"sql": "SELECT * FROM table where name = $name",
"parameters": {"$name": "something that is properly escaped\" drop table table"}
}
Or make use of headers:
POST URLTOTABLE
X-SQL-Parameter-Name: something that is properly escaped" drop table table
SELECT * FROM table where name = $name
What do you think?
The text was updated successfully, but these errors were encountered:
Hi there
This project really looks promising! I have one thing I think should be changed: the SQL Endpoint does not seem to support parameters - at least it's not documented. That encourages users to create their SQL by using string concatenation which is not good from a security perspective (SQL injection). I propose to either use JSON Body:
Or make use of headers:
What do you think?
The text was updated successfully, but these errors were encountered: