Are Phoenix routes safe from SQL injections?

devilray · April 7, 2023, 10:41am

I have a few entities in my database where I have decided not to use an autoincrementing integer ID as primary key, modifying the auto-generated schema, routes, etc. to work with this. Instead, the primary key is a string.

As a result, show page routes now look like /entity/string_pk, where the string_pk is the primary key to use to fetch the record.

I have done this for convenience and simplicity, but worry about the possibility of SQL injection attacks, where the string_pk is replaced by plausible injection strings which Ecto will immediately SELECT for.

Is this a realistic problem to worry about, necessitating a return to integer IDs, or the use of some kind of intermediate string sanitisation in the chain?

egze · April 7, 2023, 10:51am

It depends how you load the data. If you use the standard Repo.get, then you are safe. If you are building the SQL string manually - then not.

devilray · April 7, 2023, 1:12pm

Thank you @egze that’s all I wanted to know.

I have no intention on doing this for all entities, and for the few where it seems better suitable, I will not deviate from the standard Repo.get.

Much appreciated!