I am trying to update all of our influxdb python queries, so that they are not vulnerable to sql injections.
To do this, I have read that you can use params with the query_api() and specifically with the query_data_frame() (https://medium.com/sekoia-io-blog/avoiding-injections-with-influxdb-bind-parameters-50f67e379abb)
The issue I am running into is that I can not figure out how to get my params to be passed into my queries. Below is an example of one of our queries:
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")
query_api = client.query_api()
ver = "data" # This variable would actually come from a function
params = {
"ver": ver,
}
query = '''from(bucket: "db")
|> range(start: -200d)
|> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value")
|> filter(fn: (r) => r._measurement == "test_result")
|> filter(fn: (r) => r.version == ver)
|> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''
df = query_api.query_data_frame(query=query, params=params)
Running the above gives me a HTTP response body: b'{"error":"type error 5:75-5:78: undefined identifier \\"ver\\""}\n' error.
Does anyone know how to inject params correctly into a flux query with Python?
I also used the following for help: https://influxdb-client.readthedocs.io/_/downloads/en/stable/pdf/
I tried another variable name within my dict, and it yielded the same result. I also tried using $ in the query which yielded a different error. See the below code with errors:
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")
query_api = client.query_api()
ver = "data" # This variable would actually come from a function
params = {
"pVersion": ver,
}
query = '''from(bucket: "db")
|> range(start: -200d)
|> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value")
|> filter(fn: (r) => r._measurement == "test_result")
|> filter(fn: (r) => r.version == pVersion)
|> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''
df = query_api.query_data_frame(query=query, params=params)
HTTP response body: b'{"error":"type error 5:67-5:80: undefined identifier \\"pVersion\\""}\n'
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")
query_api = client.query_api()
ver = "data" # This variable would actually come from a function
params = {
"pVersion": ver,
}
query = '''from(bucket: "db")
|> range(start: -200d)
|> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value")
|> filter(fn: (r) => r._measurement == "test_result")
|> filter(fn: (r) => r.version == $pVersion)
|> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''
df = query_api.query_data_frame(query=query, params=params)
HTTP response body: b'{"error":"loc 0:0-0:0: expected an operator between two expressions"}\n'
Another data point to note is that we are using the following versions:
The issue is actually with the version of influxdb I was using (1.8.6). The query params is not a feature of Influxdb 1.8.6, and was only introduced into Influxdb 2.0.x
See the link below for a question opened with the Influxdb-python-client team. https://github.com/influxdata/influxdb-client-python/issues/285