GridGain Developers Hub

Cluster Hardening

Avoiding SQL Injections

SQL injections are a common type of attack of databases. GridGain is protected from most common types of SQL injections, however the attackers may try to find a weak spot not yet covered. To reduce the risk, it is recommended to use parametrized queries.

If you are using the Java SQL API, use parametrized queries instead of plain text queries:

IgniteCache<Long, Person> cache = ignite.cache("personCache");

cache.query(new SqlFieldsQuery("INSERT INTO Person(id, firstName, lastName) VALUES(?, ?, ?)").setArgs(1L,
		"John", "Smith")).getAll();

This way, GridGain treats each argument as a separate entity with a specific column to store it in, removing the threat of separate arguments forming malicious code.

If you are using JDBC, you can use PreparedStatements to achieve the same result:

// Insert a Person with a Long key.
PreparedStatement stmt = conn
        .prepareStatement("INSERT INTO Person(_key, name, age) VALUES(CAST(? as BIGINT), ?, ?)");

stmt.setInt(1, 1);
stmt.setString(2, "John Smith");
stmt.setInt(3, 25);