Just found my application formed
WHERE field = 'bah\'
from user input (by means of Linq2Couchbase) resulting “syntax error: invalid quoted string”. This is a user typo - not a deliberate attempt to inject anything… What would be the best practice to sanitize user input?
PS: Exact Linq2Couchbase error was:
Couchbase.Linq.CouchbaseQueryException: syntax error: invalid quoted string - at '%!b(MISSING)lah\%!'(MISSING)
@skaryshev Linq2Couchbase should be escaping user input correctly for you, can you provide some more details showing the code and user input that causes this?
I am working on this. Will post when I have more details.
1 Like
Couchbase server 6.6 Community. Linq2Couchbase 1.4.2
A simple test includes
.Where(obj=>obj.Data == @"data\")
Couchbase log: I did my best to make data\ and data\\
look correct . Do not know how to post raw text.
SELECT RAW META(Extent1
).id
FROM BUCKET-test
as Extent1
WHERE (Extent1
.Data
=’data\'
) |Couchbase.Linq.QueryGeneration.QueryPartsAggregator|
Generated query: SELECT RAW META(Extent1
).id
FROM BUCKET-test
as Extent1
WHERE (Extent1
.Data
= ‘data\
’) |Couchbase.Linq.Execution.BucketQueryExecutor|
Gettting Query Uri cid3::0 |Couchbase.N1QL.QueryClient|
Applying creds cid3::0: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
Removing brackets cid3::0: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
http://192.168.0.6:8093/query [“statement”:“SELECT RAW META(Extent1
).id
FROM BUCKET-test
as Extent1
WHERE (Extent1
.Data
= ‘data\\
’)”,“timeout”:“75000ms”,“creds”:[REDUCTED] |Couchbase.N1QL.QueryClient|
Buildspan cid3::0: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
Getting content cid3::4: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
Sending query cid3::4: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
Handling response cid3::4: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
Mapping cid3::4: http://192.168.0.6:8093/query |Couchbase.N1QL.QueryClient|
In GetDatamapper cid3::4 |Couchbase.N1QL.QueryClient|
It is IQueryRequestWithDataMapper cid3::4 |Couchbase.N1QL.QueryClient|
The log stops here
The test outcome:
Message:
Test method Logic.Test.UnitTestDbManager.TestMethodEscape threw exception:
Couchbase.Linq.CouchbaseQueryException: syntax error: invalid quoted string - at 'data\'
Stack Trace:
BucketQueryExecutor.ParseResult[T](IQueryResult1 result) BucketQueryExecutor.ExecuteCollectionAsync[T](LinqQueryRequest queryRequest, CancellationToken cancellationToken) QueryExtensions.ExecuteAsync[T](IQueryable
1 source, CancellationToken cancellationToken)
QueryManager.GetKeysAdHoc[T](IEnumerable`1 searchCriteria) line 183
UnitTestDbManager.TestMethodEscape() line 473
@skaryshev
This is a bug, I’ve filed it on the Linq2Couchbase project: Backslash is incorrectly escaped in strings · Issue #345 · couchbaselabs/Linq2Couchbase · GitHub
As a workaround, you could do x.Replace("\\", "\\\\")
, however the workaround will actually break once you upgrade to receive any fix.
1 Like
Thanks, I have already patched it with Replace. Funny thing it is only one user hitting backslash with a long fingernail altogether with Enter key. .
mreiche
December 23, 2020, 11:58pm
7
You should always use parameters to avoid sql injection problems.
where field = $1
then set the parameter to whatever the input was. Not only is it safer, it’s more efficient. The server will have the statement already parsed.
Right, but I use Linq2Couchbase library with Linq syntax to query data not direct Query API from SDK
3 Likes