Time-based SQL Injection

Need

To prevent SQL injection attacks

Context

• Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications

• Usage of Ecto.Repo for interacting with databases

Description

1. Non compliant code

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, params) do
    users = MyApp.Repo.query!("SELECT * FROM users WHERE name = '#{params["name"]}'")
    render conn, "index.html", users: users
  end
end

The Elixir code directly interpolates user input into a SQL query, which could lead to SQL injection attacks if the user input is not properly sanitized.

2. Steps

• Use parameterized queries instead of directly interpolating user input into SQL queries

• Pass the user input as a parameter to the query

3. Secure code example

defmodule MyApp.UserController do
  use MyApp.Web, :controller

  def index(conn, params) do
    users = MyApp.Repo.query!("SELECT * FROM users WHERE name = $1", [params["name"]])
    render conn, "index.html", users: users
  end
end

The secure Elixir code uses parameterized queries to prevent SQL injection attacks. The user input is no longer directly interpolated into the SQL query, but instead, it is passed as a parameter to the query.

References

• 154. Time-based SQL Injection

On this page