While going through the “Getting Started” documentation provided for Google App Engine, I noticed something interesting in the “Using the Datastore” section. The datastore included in the App Engine is not a relational database, but it has some similarities. When querying the datastore, you can use GQL, which is similar to SQL. For instance:
greetings = Greeting.gql("WHERE author = :1 ORDER BY date DESC",users.get_current_user())
Notice the parameter replacement where “:1” is replaced with the value of “users.get_current_user()“. The documentation states:
Unlike SQL, GQL queries may not contain value constants: Instead, GQL uses parameter binding for all values in queries.
As Wikipedia points out, using a parameterized statement like this GQL parameter binding is one way to mitigate an SQL injection attack. The SQL injection is mitigated because the parameter value can consistently be properly escaped within the execution of the parameter binding. I find it very interesting that Google decided, in implementing GQL, to enforce the use of parameter binding. This must have been a conscious decision to help App Engine developers to make their apps more secure. I think that this is a good decision.
Tags: app engine, Google, GQL, hack, python, SQL injection