-
Notifications
You must be signed in to change notification settings - Fork 379
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent tarantool injection & unsolicited code execution #3927
Comments
Tarantool supports placeholders for parameters as for usual
See more in the documentation. See also the relevant discussion with the documentation team. Feel free to reopen the issue if you have more questions. |
I am glad that there is already an SQL prepared. Is there a native Tarantool prepared statement? Should I reopen one? @Totktonada @kyukhin |
Native requests are quite straightforward: they don't require parsing and generating of bytecode. There is no need to prepare them, because it would not give any performance benefits. |
I was thinking if it was possible to further strengthen tarantool security. Native tarantool database calls might have a potential to do tarantool injection in the future. Native tarantool prepare might be one solution to this. |
I see no relation. Please, show example of potentialy vulnerable userland code and I will able to respond something more certain (at least how to write it in a safe way). |
In SQL, there is what we call SQL injection, and this was mitigated by using
prepared statements
, in tarantool what counter measures can we use so that we can prevent code injections from unsolicited users?The text was updated successfully, but these errors were encountered: