OrientDb sql character injection and escaping

Question

OrientDb sql character injection and escaping

How can I prevent sql injection while programming in OrientDb with OrientDB-NET.binary ? Is there a way to avoid special characters for Orient-SQL and work with string literals?

Example: I want to store this literal: me' or 1 = 1 ),'//

and then request it as

select from MyVertex where text = '...'

I am also having problems working in OrientDb studio.

I found this post which is related to Java driver, so I was wondering if there is something similar for .NET.

+3

sql-injection .net orientdb

zafeiris.m 08 jan. At 15:06

source to share

1 answer

Caleb brinkman · Answer 1 · 2015-09-04T01:13:25+0000

You need to use parameterized queries .

These are queries that extract data from syntaxwhich is the main problem for SQL injection.

In C #, using OrientDB-NET binary, you want to do something like this (adapted from OrientDB-NET wiki :

using (ODatabase database = new ODatabase("yourDatabase"))
{
    PreparedQuery query = new PreparedQuery("SELECT FROM MyVertex WHERE text = ?");
    var selectedValue = database
        .Query(query)
        .Run([***Your Input Here***])
        .SingleOrDefault();

    var text = selectedValue.GetField<string>("text");
}

You can check out OrientDB-NET 's PreparedQuery testers to see more examples of how you can do this.

OrientDb sql character injection and escaping

You need to use parameterized queries .

More articles: