aws-appsync-community icon indicating copy to clipboard operation
aws-appsync-community copied to clipboard

Published 20 hours ago verified publisher icon aws

Feature request: Parameterised SQL queries in VTL

Open alextriaca opened this issue 2 years ago • 1 comments

There is currently no way to execute a parameterised SQL query against the Aurora data API in VTL. Without this all but the most simple queries cannot be executed in VTL. While there is a variableMap field which looks like it should be parameterised, it simply concatenates the strings and is just as vulnerable to SQLi. There is a broad misconception about this in the community (https://github.com/aws/aws-appsync-community/issues/60#issuecomment-546791723) as this separation is the standard way of parametrising queries in all other SQL libraries (including boto3).

Request - please can the variableMap field be converted to allow parameterised queries or a new parameters field be added that parameterises the query being made against Aurora.

alextriaca avatar Mar 17 '22 08:03 alextriaca

Hello, this is now possible with:

  • https://docs.aws.amazon.com/appsync/latest/devguide/resolver-reference-rds-js.html
  • https://docs.aws.amazon.com/appsync/latest/devguide/resolver-mapping-template-reference-rds.html

we recommend using JavaScript resolvers to interact with your Aurora data source

onlybakam avatar Dec 13 '23 23:12 onlybakam