spot7.org logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML Categories

Avoiding SQL injection in Azure DocumentDB Stored Procedures


Update:

Happy to say that as of 1/14/15 - DocumentDB does support SQL parameterization. Support has been added across the .NET, Java, Node.js, and Python SDKs, as well as the REST API. Enjoy =)

Here's an example using the .NET SDK:

IQueryable<Book> queryable =
client.CreateDocumentQuery<Book>(collectionSelfLink,
new SqlQuerySpec { 
                    QueryText = "SELECT * FROM
books b WHERE (b.Author.Name = @name)", 
                    Parameters = new
SqlParameterCollection()  { 
                          new
SqlParameter("@name", "Herman Melville") 
                     } 
});

Original Answer

DocumentDB does not support SQL parametrization yet... so you will want to sanitize your inputs to avoid unintentional exposure of data on reads (e.g. for multi-tenant applications).

That being said... the DocumentDB SQL injection attack surface area is fairly limited - as DocumentDB SQL only supports read-only queries. In other words, you do not have to worry about unintentional writes/updates/deletes in the context of DocumentDB and SQL Injection.


Categories : SQL

Related to : Avoiding SQL injection in Azure DocumentDB Stored Procedures
Connect telerik appbuilder to Azure documentdb
Telerik AppBuilder doesn't have integration w/ Azure DocumentDB yet. If you're looking to to simple connect to a DocumentDB database to do some simple CRUD operations (e.g. add a name or number field) - I'd recommend checking out one of the following: The Document Explorer inside the Azure Portal: or mingaliu's DocumentDB Studio:

Categories : Azure
How to delete multiple Stored Procedures in One Database
You don't need the GO at the end. Try this: SELECT 'DROP PROCEDURE [' + SCHEMA_NAME(p.schema_id) + '].[' + p.NAME + ']' FROM sys.procedures p WHERE p.name like 'spV400%' ORDER BY p.name That of course will give you a list of SQL commands in the output which you can copy and paste into SSMS and run.

Categories : Sql Server
Does MySQL truncate parameters in stored procedures?
That depends on your sql_mode setting. http://dev.mysql.com/doc/refman/5.6/en/server-system-variables.html#sysvar_sql_mode

Categories : Mysql
Can't retrieve OUT parameters from stored procedures (MySQL)
use this way from django.db import connection # ... cursor = connection.cursor() out_arg1 = "" args = [in_arg1, in_arg2, out_arg1] result = cursor.callproc('some_procedure', args) cursor.execute('SELECT @some_procedure_2') print(cursor.fetchall()) #print(args[2], result[2]) cursor.close() # ...

Categories : Python
where does the virtual machine files are stored in Windows Azure and how to retrieve them with Azure SDK?
The Virtual Datastore is essentially the Azure storage account where your virtual machines are stored. It contains the OS and Data Disks that comprise the VM (as Hyper-V VHD's). You can download them using any number Azure Storage tools, or write your own using your SDK of preference (such as the Azure Java SDK).

Categories : Azure
Recently Add
SQL command to insert two primary keys into third table
How to do a registerform by ASP.NET VB SQL
Shortest time and trip between two stops across many trip options (GTFS)
Using IN and EXISTS subquery with AND operation instead of OR?
How to select multiple alias columns from the same table
Delete records from a given table
date manipulation in postgresql
PSQL query with join query from a db newbie
Protect LocalDB from user access
Update field with combined contents from other fields
SQL select unique records under certain priority and conditions from multiple columns
Multiply quantities for all parent child relationships
I'm having an issue running a query from a batch file
Concatenate strings while filtering by another column in SQL Server view
Parsing Dynamic XML to SQL Server tables with Parent and child relation
Using MERGE for delete and insert in oracle
how to display the pre value and post value of a column after updating it?
sql loop to fill up date between two time stamps
With SQL/TSQL, how can I use STUFF within this WHILE clause?
Challenging db table and query
Query to fetch row corresponding to Max value in SQL
Oracle SQL - ORA-00936 on DATE()
how to split single row into multiple row in db2?
Combine fields into one column
How can I perform an SQl where query then list properly?
SQL - Selection of the oldest order for every customer (join two tables)
Sum two counts in a new column without repeating the code
Creating multiple sum fields based upon criteria in another field in MS access 2007
Grouping by two values in same table
MS SQL last record
© Copyright 2017 spot7.org Publishing Limited. All rights reserved.