Sanitizing SQL query parameters in AWS Athena

Question

In AWS Athena, there doesn't appear to be a good way to pass parameters into the SQL query. The typical way to execute is from a boto3 call,

response = client.start_query_execution(
    QueryString='string',
    ClientRequestToken='string',
    QueryExecutionContext={
        'Database': 'string'
    },
    ResultConfiguration={
        'OutputLocation': 'string',
        'EncryptionConfiguration': {
            'EncryptionOption': 'SSE_S3'|'SSE_KMS'|'CSE_KMS',
            'KmsKey': 'string'
        }
    }
)

If I need to pass parameters to the QueryString, I need to sanitize it to avoid injection attacks. How do I clean the input?

To those who closed it - please explain why. It seems perfectly legit. — noamtm, Jul 18 '20 at 12:53
Does this answer your question? [How to solve SQL injection for Athena?](https://stackoverflow.com/questions/50823715/how-to-solve-sql-injection-for-athena) — Theo, Aug 14 '20 at 09:22

Theo · Answer 1 · 2021-10-18T18:43:21.333

1

~~There is no such functionality in the Athena API.~~ Athena now has prepared statements.

edited Oct 18 '21 at 18:43

answered Aug 14 '20 at 09:21

Theo

131,503
21
160
205

Sanitizing SQL query parameters in AWS Athena

1 Answers1