'Sanitizing string parameters in Cosmos DB to avoid SQL injection

I have an application in which a Cosmos DB SQL Query is constructed dynamically, with some parts coming from untrusted user input. These parts are all string parameters in the WHERE clause and always enclosed in single quotes. For example:

SELECT * FROM c WHERE 
    c.prop1 = '{userInput1}' AND 
    STARTSWITH(c['{userInput2}'], '{userInput3}')

For various reasons it's not possible to use library features like SqlParameter to sanitize the user input, which obviously would be the ideal solution.

But given this constraint, would it be sufficient to escape backslashes and single quotes in the user input, i.e. replace \ by \\ and ' by \' , in order to avoid all SQL injection attacks?

(Updated to reflect the comment by @404)

azure-cosmosdbazure-cosmosdb-mongoapi


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Need a direct way of implementing Azure spring data cosmos db query implementation for a nested parameter

How to prevent data factory from running out Cosmos DB RU/s

How to order results of a query by the results of an aggregate function in ComosDb?

Check if parameter is null in CosmosDB query

Get all the Partition Keys in Azure Cosmos DB collection

How atom-record-sequence (ARS) helps CosmosDB to be Multimodel?

Azure cosmosdb reservation

CosmosDB emulator can't start since port is already in use

Azure Cosmos DB - Understanding Partition Key

Azure Stream Analytics CreateOrReplace Transformation Conflict or Bad Request

Provision throughput on Database level using Table API in cosmos db

Entity Framework Core 5 and CosmosDB SQL API - Include extension method does not work

React executing code before the previous function call has finished

azure-cosmos-emulator hangs when I try to create a database

Is it possible to create a new Gremlin Graph DB and Graph using c# code