N1QL query safe against SQL injection

Hello!
So i’m using this SELECT META().id, file FROM bucket WHERE file IS NOT MISSING AND META().id LIKE 'file_(i need a parameter here)% query to grab files from my database, and i was wondering how i’d put a parameter in there without it becoming vulnerable. I’m unable to find the n1qlquery class/function the docs speak about, and using parameters ($1) and then writing the variable i need to throw in there doesn’t seem to have any effect either.

SELECT META().id, file 
FROM  `bucket`  
WHERE file IS NOT MISSING 
         AND META().id LIKE "file_" || $name || "%";

You need to pass $1. If you did not pass $name, it returns error. $name must be string get results due to concat.
Any other values will get 0 results because concat on non-string will result in NULL or MISSING

so when i write that in my Query, would i just add , (variable) to pass it in?

During execution you need pass $name as named parameter. Check named/positional parameters in documentation
https://docs.couchbase.com/sdk-api/couchbase-python-client-2.4.1/api/n1ql.html

1 Like

Oh so passing in name=(variable) is the fix, thanks vsr1

1 Like