I am trying to update all of our influxdb python queries, so that they are not vulnerable to sql injections.
To do this, I have read that you can use params with the query_api() and specifically with the query_data_frame() (https://medium.com/sekoia-io-blog/avoiding-injections-with-influxdb-bind-parameters-50f67e379abb)
The issue I am running into is that I can not figure out how to get my params to be passed into my queries. Below is an example of one of our queries:
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")query_api = client.query_api()ver = "data" # This variable would actually come from a functionparams = { "ver": ver,}query = '''from(bucket: "db") |> range(start: -200d) |> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value") |> filter(fn: (r) => r._measurement == "test_result") |> filter(fn: (r) => r.version == ver) |> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''df = query_api.query_data_frame(query=query, params=params)Running the above gives me a HTTP response body: b'{"error":"type error 5:75-5:78: undefined identifier \"ver\""}n' error.
Does anyone know how to inject params correctly into a flux query with Python?
I also used the following for help: https://influxdb-client.readthedocs.io/_/downloads/en/stable/pdf/
Update based on user16442705 question
I tried another variable name within my dict, and it yielded the same result. I also tried using $ in the query which yielded a different error. See the below code with errors:
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")query_api = client.query_api()ver = "data" # This variable would actually come from a functionparams = { "pVersion": ver,}query = '''from(bucket: "db") |> range(start: -200d) |> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value") |> filter(fn: (r) => r._measurement == "test_result") |> filter(fn: (r) => r.version == pVersion) |> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''df = query_api.query_data_frame(query=query, params=params)HTTP response body: b'{"error":"type error 5:67-5:80: undefined identifier \"pVersion\""}n'
client = InfluxDBClient(url="localhost:5000", token="", timeout=100000, retries=0, enable_gzip=True, profilers="query, operator")query_api = client.query_api()ver = "data" # This variable would actually come from a functionparams = { "pVersion": ver,}query = '''from(bucket: "db") |> range(start: -200d) |> pivot(rowKey:["_time"], columnKey: ["_field"], valueColumn: "_value") |> filter(fn: (r) => r._measurement == "test_result") |> filter(fn: (r) => r.version == $pVersion) |> keep(columns: ["_time", "test", "run", "status_tag", "duration_sec", "version"])'''df = query_api.query_data_frame(query=query, params=params)HTTP response body: b'{"error":"loc 0:0-0:0: expected an operator between two expressions"}n'
Another data point to note is that we are using the following versions:
- Influxdb-Version: 1.8.6
- influxdb-client: 1.19.0
Advertisement
Answer
The issue is actually with the version of influxdb I was using (1.8.6). The query params is not a feature of Influxdb 1.8.6, and was only introduced into Influxdb 2.0.x
See the link below for a question opened with the Influxdb-python-client team. https://github.com/influxdata/influxdb-client-python/issues/285