Elasticserach sql query with passing parameters so we prevent sql Injection

754 views Asked by At

I am using elastic search 7.6.2 version. Passing parameters to a query not working in kibana. When I am trying to add params query not working in kibana dev tool if we try with params query will work fine.

       POST /_sql?format=txt
                   {
                     "query": "SELECT count(*) as aa  from student where  st_category = ?",
                     "params": [
                       39
                     ]
                   }
       ```  
                     {
                     "error" : {
                       "root_cause" : [
                         {
                           "type" : "x_content_parse_exception",
                           "reason" : "[5:3] [params] Expected START_OBJECT but was: END_ARRAY"
                         }
                       ],
                       "type" : "x_content_parse_exception",
                       "reason" : "[5:3] [sql/query] failed to parse field [params]",
                       "caused_by" : {
                         "type" : "x_content_parse_exception",
                         "reason" : "[5:3] [params] Expected START_OBJECT but was: END_ARRAY"
                       }
                     },
                     "status" : 400
                   }
1

There are 1 answers

1
Jaycreation On

Reproduced on a 7.6.0 cluster but not on my 7.9+ This functionality first appear on the 7.7. So, unfortunately you will have to upgrade your cluster if you want to use it.