SQL Query Parameters and SQL injection

Mark_Palermo · March 24, 2025, 11:20pm

I am attempting to create a re-usable subgraph for retrieving a database value based on a query parameter passed in. For scalability reasons, it is not reasonable to read the whole table and then filter in CloverDX.
The only way I have been able to figure out how to pass a parameter to SQL is when it is a parameter of the graph itself. Unfortunately, that parameter replacement is just a String variable replacement in the query, leading to potential SQL injection attacks.

In the documentation for DatabaseReader, I see there are question marks in the " Query statement with mapping" section which leads me to believe there is some other way of specifying String query parameters to a Prepared Statement without risking injection.

Any guidance is greatly appreciated,

David_Pavlis2 · March 26, 2025, 7:49am

Hi Mark,
The DatabaseReader component allows the SQL query be read from input port instead of specified as one of parameters.
If you choose this way then you can do whatever pre-processing including checking for SQl injection before sending the query to the component and thus to database.

See: DatabaseReader | CloverDX 7.0.0 Documentation section which shows how to read the query from input port.

Hope this solves it.

David

Topic		Replies	Views
SQL parameter CloverDX Platform	1	3	July 16, 2007
WAy to pass parameter to queries CloverDX Platform	3	7	July 16, 2007
Graph property in SQL query CloverDX Platform	3	4	April 28, 2010
SQL Query containing the output of a previous SQL query CloverDX Platform	2	42	November 26, 2024
Clover 1.1.7 CloverDX Platform	1	1	July 16, 2007

SQL Query Parameters and SQL injection

Related topics