GAE Datastore and security risks with JDOQL

Question

I just started working on a project that will run on google app engine (GAE). I'm using java (wicket) with some ajax.

I'm experienced with relational databases and typically use something like iBatis. When going through the docs and examples for the GAE datastore using JDO I see that they're executing stuff like:

String query = "select from " + Employee.class.getName() + " where lastName == 'Smith'";
List<Employee> employees = (List<Employee>) pm.newQuery(query).execute();

Does anyone know if this JDOQL query is subject to security problems like SQL injection? If so, is there any way to remedy this?

Answer 1

Yes, that is subject to sql injection (well, JDOQL injection in this case). You should use parameters instead, as in the examples in the GAE/J documentation.

Query query = pm.newQuery(Employee.class);
query.setFilter("lastName == lastNameParam");
query.setOrdering("hireDate desc");
query.declareParameters("String lastNameParam");

try {
    List<Employee> results = (List<Employee>) query.execute("Smith");
    if (results.iterator().hasNext()) {
        for (Employee e : results) {
            // ...
        }
    } else {
        // ... no results ...
    }
} finally {
    query.closeAll();
}

Answer 2

Any JDOQL query is translated into the equivalent underlying query. In RDBMS it just happens to be SQL. In GAE/J it is their query API. That means it isn't definite that there is any "injection" of anything. You are the application developer and you define the queries, hence you have full control over such things.

Answer 3

Yes, in general it's vulnerable to injection vulnerabilities. In the examples in the docs, though, it doesn't apply - the class name is controlled by the author of the app, and the the last name in this case is a literal string.