-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] Driver error: query parameters are not supported by this server #184
Comments
Thanks for opening this issue. I think this is a mirror of this one on the NodeJS connector and the resolution is the same. We'll have a PR fixing it soon. |
Any update on this? I just discovered this is still an issue in my own code. |
@nv-josh which DBR version you use? Query parameters depend on server support, so IIRC you need a DBR 14.1 or newer to use them |
@nv-josh I worked internally w/ DB support to validate this issue went away with the preview of Serverless SQL 2024.10, you should check the same! |
Ah thank you for the responses. I'll follow up with my teams here. |
Hey team, Databricks customer here! (related internal Help ticket 00404964)
Context
We originally implemented the SQL query writes using substitutes like so (this is not real code, very simplified):
, but this is very bad practice when
ids
ortimestamp
are user-provided via GET query parameters (/objects?id=x&id=y
).Even with initial sanitization and validation of the params, it is still a SQL injection vulnerability by static analysis (CWE-89) -- so we need to mitigate that by using the official Go
database/sql
library's recommendation to use a parameterized SQL query:Issue
But, when we try to execute this parameterized query, we receive the following error:
... which isn't a good thing if we want to query our warehouse directly from the API while mitigating SQL injection.
I haven't taken the time to look, but I do not know if this is a package issue or a SQL Warehouse issue.
Notes
The text was updated successfully, but these errors were encountered: