Topics started by david.moore
How Does Looker Prevent SQL Injection?Knowledge Drop
Last tested: Jan 21, 2019 SQL injection is an attack technique which can compromise data by injecting malicious SQL code into a query.We prevent SQL injection by escaping and filtering all user input (such as filters, custom filters, parameters, etc.) to prevent the injection of malicious SQL. In addition, we frequently run an extensive set of unit tests which confirm that all user input is properly escaped and that no new SQL injection vulnerabilities are introduced by new code or by changes to existing code. Finally, we use threat detection tools to monitor for and block attempted SQL injection attacks against hosted Looker instances.An important caveat is that admins or anyone with developer permissions (specifically the `use_sql_runner` permission) can use SQL Runner to write and run arbitrary SQL on the database. This could be viewed as a means of SQL injection so it is important to restrict admin and developer permissions to trusted users. This content is subject to limited suppo
Already have an account? Login
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.