INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@', '%@', %@, '%u', '%lld')
CREATE TABLE "%@" (%@%@);
On Nov 24, 2020, at 4:41 PM, Gary Ma <gary...@gmail.com> wrote:
Hello,
We are using version 2.7 of the Couchbase-lite-ios in our application and through a security scan, some dynamic SQL queries were identified. Some of the findings are that our client side code is doing include:
INSERT INTO "%@" ("%@", "%@", "%@", "%@", "%@", "%@") VALUES ('%@', '%@', '%@', %@, '%u', '%lld')
CREATE TABLE "%@" (%@%@);
- DELETE FROM "%@" WHERE %@
We are passing the strings from the application into the queryObject when we are building out the query through CBLQuery.buildQuery.
In addition to ensuring our inputs are sanitized prior to building the query, I was wondering if the the CBLQueryBuilder has any additional guards against potential SQL Injection attacks?