Using the v3 js sdk Athena Client, I'm trying to safely execute a query that is constructed from user input.
I want to avoid doing anything like this:
const queryString = `SELECT * from mytable where field = ${userSuppliedValue}`;
It seems like the proper solution to this would be using a prepared statement.
The SDK provides a way to create prepared statements like this:
await client.send(
new CreatePreparedStatementCommand({
Description: 'My example query',
QueryStatement: 'SELECT * FROM mytable WHERE ?',
StatementName: 'MyPreparedStatement',
WorkGroup: 'primary',
}),
)
So, there should be a way to execute this prepared statement, providing user input safely to replace the ? parameter.
However, I can't find any way in the SDK to execute the statement, except to build a raw query:
const data = await client.send(
new StartQueryExecutionCommand({
QueryString: `EXECUTE MyPreparedStatement USING ${userSuppliedValue}`,
ResultConfiguration: {
OutputLocation:
's3://my-example-bucket',
},
}),
);
Since this still involves building a raw query string with user input, it seems to leave me just as vulnerable to SQL injection as if I had not used a prepared statement.
The documentation on prepared statements says:
Prepared statements enable Athena queries to take parameters directly and help to prevent SQL injection attacks.
Is there some other programmatic way to execute prepared statements that I'm overlooking?
