I'm using Korma behind a RESTful API, and it occurs to me that I'm passing user-submitted values through to my (insert)calls. Is there a nice way in Clojure to protect against SQL injection attacks? Korma generates SQL in a pretty straightforward way, so if somebody told me their name was little Bobby Tables, I'm fearful that it would hurt.
Sanitising database inputs in Clojure with Korma
807 Views Asked by Conan At
1
There are 1 best solutions below
Related Questions in SQL
- SQL schema for a fill-in-the-blank exercise
- Hibernate: JOIN inheritance question - why the need for two left joins
- What's supposed to be the problem in this query?
- Compare fields in two tables
- How to change woocomerce or full wordpress currency with value from USD to AUD
- Dynamic query creation with Array like implementation
- SQL query to get student enrolled in this month in a course - Moodle
- SQL LAG() function returning 0 for every row despite available previous rows
- Convert C# DateTime.Ticks to Bigquery DateTime Format
- Use row values from another table to select them as columns and establish relations between them (pivot table)
- SQL: Generate combination table based on source and destination column from same table
- how to use system's environnement variables in sql script
- PHP fetchAll on JOIN
- Multitable joining in Sql
- How to display name starting from 'z' by using BETWEEN cmd only?
Related Questions in CLOJURE
- SSE implementation in Pedestal using individual channel per user
- Within a Clojure project using deps.edn, where is the package name and version tracked?
- How can I update and iterate the sub maps and update map into different location of map at the same time in clojure
- Out of memory in clojure - Nested reduce on Lazy Sequence
- Mac OS X - Brew installed Leiningen permission error / wrong directory
- Consume SpiceDB LookupResources gRPC stream from Clojure using Java gRPC library
- Server sent events in pedestal returns empty response
- How to make quarkus find my Clojure classes?
- Looking for a Clojure/LISP equivalent to Scons
- lazily calling functions for infinite sequence clojure
- Issue with Kafka in Clojure Repl for Arm64 M1
- Unable write parser where the AST can be turned into Clojure code
- Naming convention for simbol of clojure.core/atom, like !foo in Clojure
- How to nest a sequence of layered steps?
- How to type hint a float?
Related Questions in KORMA
- Inserting multiple rows in mysql using korma in clojure
- Imitate partitions/window functions in sqlkorma
- Korma - join on a sub select but how do I specify an alias?
- Can korma/fields take an array of columns?
- Building where clauses?
- How to build a WHERE query from a comma delimited string of ids?
- Insert many-to-many relations in one transaction using Korma
- Clojure: korma database error
- Database mocking in Clojure tests
- Why does my Clojure application take _minutes_ to connect to Postgres?
- Hele converting MSSQL query to Korma entities
- One day difference when persisting to database
- Truncate table with sqlkorma
- has-many does not work
- Wrong number of args (4) passed to: jdbc/query using Korma
Related Questions in SQLKORMA
- Imitate partitions/window functions in sqlkorma
- Korma - join on a sub select but how do I specify an alias?
- Missing FROM-clause entry for table?
- How to I correctly define a foreign key for a SQLKorma entity?
- How do I mock sqlKorma?
- Can korma/fields take an array of columns?
- Building where clauses?
- How to build a WHERE query from a comma delimited string of ids?
- Truncate table with sqlkorma
- Raw SQL insert with Korma
- Clojure thread-first with filter function
- select's fields function of korma does not reject colums?
- converting json object to string in clojure
- SQL Korma "count not supported on this type" error message
- How to convert korma select results to json for a rest service (compojure)?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
It's my understanding that Korma always generates parameterized SQL, at least for select and insert (I have not personally tested the others) so Little Baby Tables should be fine.
Carefully scrutinize how these values are being returned from the database. Sanitizing DB input does nothing to protect from CSRF/XSS, etc. When working with Clojure and DB <--> web interactions I use the rule that All system components must encode the data in a way that is safe for the next server in the chain, and logical constraints (like max search size) are checked upfront in ring-middleware.
Security is a cat/mouse arms race and there is no substitute for testing these things. Go ahead and put Little Baby Tables into every query and try all the combinations of encoding and multiple encoding you can think of. Demonstrating exploits can sometimes be a rather effective way to help coworkers learn to spot these things (just don't be a jerk about it)