How to escape Python boto's SelectExpression for Amazon SimpleDB

Question

Currently my code is

client = boto3.client('sdb')
query = 'SELECT * FROM `%s` WHERE "%s" = "%s"' % (domain, key, value)
response = client.select(SelectExpression = query)

The variable key and value is input by user, what are the best way to escape them in my above code?

Edit: What I concern is how to escape the fields such as we did in the past to prevent SQL injection, but now in SimpleDB

Did you see http://stackoverflow.com/a/4451119/2740386 in advance? — Kir Chou, Nov 27 '16 at 18:04

score 4 · Answer 1 · answered Dec 04 '16 at 11:52

Subselects and destructive operations can't be performed using simpledb.

Amazon provides quoting rules: http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/QuotingRulesSelect.html

You can apply this behavior in python using this function:

def quote(string):
    return string.replace("'", "''").replace('"', '""').replace('`', '``')

client = boto3.client('sdb')
query = 'SELECT * FROM `%s` WHERE "%s" = "%s"' % (quote(domain), quote(key), quote(value))
response = client.select(SelectExpression = query)

score 3 · Answer 2 · edited Jun 20 '20 at 09:12

3

If you meant sideffect of SQL injection is deletion/destruction, SimpleDB only support querying data, if you want to protect data exposing ( that you dont want to ) check aws docs here

Note: Since the guide is good to go, i thought the link is enough

edited Jun 20 '20 at 09:12

Community

1
1

answered Nov 30 '16 at 12:59

Renjith Thankachan

4,178
1
30
47

How to escape Python boto's SelectExpression for Amazon SimpleDB

2 Answers2