SQL injection prevention in C# influx client

Question

I am trying to write Influx queries and to prevent SQL injection using bind parameters. The Influx documentation talks about CURL commands here and I saw a GitHub issue relating to their Java client here

Could someone please help me with SQL injection prevention using the C# Influx client with multi[ple WHERE clauses.

My query:

SELECT * FROM "retentionPolicy.SystemGuid" WHERE time >= "startTime" AND time <= "endTime" AND Quality = "good"

score 3 · Accepted Answer · answered Aug 29 '18 at 07:24

To avoid sql Injection you should be using parameterized queries.

how to do that?

You shouldn't pass the query as a string parameter, you should pass the query as string parameter containing placeholders and the values for those placeholders

ex:

using (SqlConnection conn = new SqlConnection(DatabaseConnectionString))
    using (SqlCommand cmd = conn.CreateCommand())
    {
      conn.Open();
      cmd.CommandText = "SELECT * FROM Users WHERE UserName = @UserName AND Password = @Password";
    cmd.Parameters.AddWithValue("@UserName", txtBoxUserName.Text);
    cmd.Parameters.AddWithValue("@Password", txtBoxPAssword.Text);
    cmd.ExecuteNonQuery();
    }

This does not use Influx client. Is there any inbuilt feature in Influx client that would do the same? — Sheena Agrawal, Aug 29 '18 at 08:12
Sorry, I am not aware with Influx but I think this is general way and you can apply it on your case. — Muhammad Hassan, Aug 29 '18 at 09:13

score 1 · Answer 2 · answered Oct 30 '21 at 18:01

I know this is a very old thread and probably the author has found the answer already or has moved on. For whoever stumbles upon this question -

InfluxDB supports parameterized queries. A good example is documented here -

https://github.com/MikaelGRA/InfluxDB.Client

Example query using InfluxDB driver -

var resultSet = await client.ReadAsync( db, "SELECT * FROM myMeasurementName WHERE time >= $myParam", new { myParam = new DateTime( 2010, 1, 1, 1, 1, 3, DateTimeKind.Utc ) } );

score -2 · Answer 3 · answered Nov 16 '18 at 13:50

-2

SQL injection is typically not an issue with InfluxDB since it does not support SQL. InfluxDB uses InfluxQL which is a SQL-like language, but it is NOT SQL.

answered Nov 16 '18 at 13:50

Davidgs

411
6
18

1

That doesn't really add much if it turns out that it's subject to "InfluxQL Injection" issues that closely mirror SQL Injection ones. Just means the term is being applied more broadly than a strict reading implies, not that it's not a valid concern. – Damien_The_Unbeliever Nov 16 '18 at 13:58
And what would “InfluxQL injection” look like? It’s not an SQL database. Time Series databases are used for entirely different purposes. I can’t even imagine what “InfluxQL injection” would look like, or accomplish – Davidgs Nov 17 '18 at 22:16

SQL injection prevention in C# influx client

3 Answers3