Kotlin Exposed: How to create prepared statement or avoid SQL Injection?

Question

I use Kotlin Exposed to create queries. But I faced a problem when I have to use a parameter recieved from a client:

private fun accountInfo(msg: AccountInfoMsg) {
        transaction {
            val accountInfo = UserAccount.wrapRow(Account.innerJoin(Account_Banned).select {
                Account.email.eq(msg.login.toLowerCase()) and (Account.id eq Account_Banned.accountId)
            }.single())
        }
    }

So how to create a prepared statement or how to pass a parameter with possible SQL injection?

score 8 · Accepted Answer · answered May 04 '18 at 18:06

8

Exposed does this for you under the covers. Because it delegates this work down to a PreparedStatement, it's handled for you. If you want to sanity check your inputs, you should do so for business reasons, leaving the rest up to Exposed.

Edit: I believe the source of Statement in Exposed shows this in action. Delegation to PreparedStatement is all you need to prevent a SQL Injection Attack here.

answered May 04 '18 at 18:06

Todd

30,472
11
81
89

2

Yes, I checked with `105 OR 1=1` and it looks like `WHERE account.email = '105 or 1=1'` in the final query – nllsdfx May 04 '18 at 18:44

Kotlin Exposed: How to create prepared statement or avoid SQL Injection?

1 Answers1