Last tested: Jan 21, 2019
SQL injection is an attack technique which can compromise data by injecting malicious SQL code into a query.
We prevent SQL injection by escaping and filtering all user input (such as filters, custom filters, parameters, etc.) to prevent the injection of malicious SQL. In addition, we frequently run an extensive set of unit tests which confirm that all user input is properly escaped and that no new SQL injection vulnerabilities are introduced by new code or by changes to existing code. Finally, we use threat detection tools to monitor for and block attempted SQL injection attacks against hosted Looker instances.
An important caveat is that admins or anyone with developer permissions (specifically the `use_sql_runner` permission) can use SQL Runner to write and run arbitrary SQL on the database. This could be viewed as a means of SQL injection so it is important to restrict admin and developer permissions to trusted users.