10

I am working on writing a Spring Java program accessing data from Athena, but I found that Athena JDBC driver does not support PreparedStatement, does anyone have idea about how to avoid SQL injection on Athena?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Tsing
  • 101
  • 1
  • 4
  • For other databases, Spring Data would help to prevent SQL injections. But this is not available for Athena AFAIK. – user152468 Jun 12 '18 at 20:01

2 Answers2

15

Update: I originally answered this question in 2018, and since then Athena now supports query parameters.

Below is my original answer:

You'll have to format your SQL query as a string before you prepare the query, and include variables by string concatenation.

In other words, welcome to PHP programming circa 2005! :-(

This puts the responsibility on you and your application code to ensure the variables are safe, and don't cause SQL injection vulnerabilities.

For example, you can cast variables to numeric data types before you interpolate them into your SQL.

Or you can create an allowlist when it's possible to declare a limited set of values that may be allowed. If you accept input, check it against the whitelist. If the input is not in the allowlist, don't use it as part of your SQL statement.

I recommend you give feedback to the AWS Athena project and ask them when they will provide support for SQL query parameters in their JDBC driver. Email them at Athena-feedback@amazon.com

See also this related question: AWS Athena JDBC PreparedStatement

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
5

Athena now has support for prepared statements (this was not the case when the question was asked).

That being said, prepared statements aren't the only way to guard against SQL injection attacks in Athena, and SQL injection attacks aren't as serious as they are in a database.

  • Athena is just a query engine, not a database. While dropping a table can be disruptive, tables are just metadata, and the data is not dropped along with it.
  • Athena's API does not allow multiple statements in the same execution, so you can't sneak a DROP TABLE foo into a statement without completely replacing the query.
  • Athena does not, by design, have any capability of deleting data. Athena has features that can create new data, such as CTAS, but it will refuse to write into an existing location and cannot overwrite existing data.
Theo
  • 131,503
  • 21
  • 160
  • 205
  • 1
    SQL injection is not only about dropping tables. It's not always about malicious users at all. It can be accidental and simply result in syntax errors, for instance if someone's last name is "O'Reilly". – Bill Karwin May 19 '22 at 02:11