Im using input from the user to query snowflake within DRF view, how to prevent in the below code sql injection possibility?
entity_id = kwargs['pk']
table = session.table("my_table").filter(col(ID_COL)==entity_id )
The good news is that the user input should be already filtered if you are using filter().
Testing with Snowpark:
import snowflake.snowpark as snowpark
from snowflake.snowpark.functions import col
def main(session: snowpark.Session):
# Your code goes here, inside the "main" handler.
tableName = 'information_schema.packages'
dataframe = session.table(tableName).filter(col("language") == "';drop table bobby_tables")
# Print a sample of the dataframe to standard output.
dataframe.show()
# Return value will appear in the Results tab.
return dataframe
If you go check the Snowflake logs, you'll find that Snowflake ran the following query, with the quote escaped:
SELECT *
FROM information_schema.packages
WHERE ("LANGUAGE" = ''';drop table bobby_tables')