Is there a correct way to use parameters in a SQL injection safe way with the InfluxDB python client, much like the mogrify function in psycopg?

The following seems rather dangerous:

def mogrify(query, params):
    return query % tuple(params)

What if something like this was done:

query = """ SELECT foo FROM bar WHERE baz = %s AND bat = %s """
params = ('safe_param', 'not_so_safe_param; DROP MEASUREMENT bar;')
result_set = client.query(mogrify(query, params))
return result_set 

(Not sure if this would actually work, but you get the point.)

Currently I'm considering a simple in-house solution:

def mogrify(query, params):
    clean_params = list()

    for param in params:
        param = ''.join(char for char in param if char.isalnum() or char in ('-', '_', '.'))
        clean_params.append(param)

    return query % tuple(clean_params)

It removes anything which is not an (English) letter, number, underscore, simple hyphen or period. Based on the following answer: https://stackoverflow.com/a/5843560/604048

I think this will cover my use cases, but I have no idea if there are dangerous corner cases which make it possible to do harm. For the record, the user which is running these queries has only read access. However, I'd rather not rely on this fact. Maybe someone might give the user elevated rights in the future.

I think it'll be safe, but should I be doing something else? This rather feels like one of those cases where people will be telling me not to run my own thing, like with encryption and hashing.

1

There are 1 answers

0
snakecharmerb On BEST ANSWER

There is an open issue in the project for PEP 249 compliance, and a search of the repo on github returns nothing for paramstyle, so probably there is no correct way right now.