Support Questions

s_ribich95 · ‎09-28-2017

In creating a Nifi flow, I noticed ExecuteSQL does not support prepared statements like PutSQL does. Is there a reason for this?

Is there a method to get around it besides creating my own processor which adds the functionality?

s_ribich95 · ‎10-20-2017

@Shu

For example, the PutSQL documentation states the following:

The SQL command may use the ? to escape parameters. In this case, the parameters to use must exist as FlowFile attributes with the naming convention sql.args.N.type and sql.args.N.value, where N is a positive integer. The sql.args.N.type is expected to be a number indicating the JDBC Type. The content of the FlowFile is expected to be in UTF-8 format.

This allows SQL to be escaped, preventing attacks such as SQL Injection.

Unfortunately, ExecuteSQL does not contain the same functionality. As a result, SELECT statements are vulnerable to SQL injection. I'd like to know if there is a known workaround, or if we must just wait until this functionality is implemented.

henrikolsen · ‎01-03-2018

Did you find a solution for preventing vulnerabilities in ExecuteSQL?

Can any of the escape(Json|Xml|Csv…) language expression functions be useful, or how can we make robust selects in nifi with any kind of input characters in the SQL?

Often the needed escaping is specific for the database in question, so I'm guessing a manual use of expression functions for escaping is not very suitable without indicating the database in use...

mburgess · ‎02-12-2018

NIFI-978 addresses this capability, I have a Pull Request up with the improvement, perhaps it will make it into NiFi 1.6.0.

Cloudera Community

Support Questions

Nifi ExecuteSQL prepared statements to prevent SQL Injection?