Is there a possibility of SQL Injection when inserting dataset parameters into QuickSight's custom SQL?

I’m posting this question because there was no mention of it in the official documentation.

Is there a possibility of SQL Injection occurring when inserting dataset parameters into the custom SQL of QuickSight?

1 Like

Hi @ss49919201 - Welcome to AWS QuickSight community and thanks for posting this question. This is an interesting question, I believe you are seeing whether any SQL injection happening when parameters are used. Since QuickSight is SaaS, I believe internal traffic is secure and there is no sql injection. However let’s get the feedback from QuickSight experts.

Hi @Ramon_Lopez @SD_QS - Any expert advise from your side.

Regards - Sanjeeb


Hi @ss49919201 Could you please elaborate on your concern around SQL injection when using parameters, as in what is bothering you and how do you think SQL injection can be possible? Also, in your dashboard, how is the value of the parameter being set?

As far as encryption is concerned, I would recommend you to take a look at the following resources:

  1. Encryption in transit - Amazon QuickSight
  2. Inter-network traffic privacy in Amazon QuickSight - Amazon QuickSight

Hi @SD_QS I was concerned that the user’s input string would be embedded in the SQL as shown in the following SQL statement. When I actually tried entering a random string, the value was always enclosed in single quotes, so I believe that SQL injection is unlikely to occur. However, since the official documentation does not mention any SQL injection prevention measures, I created this question.

SELECT * FROM example_table WHERE col1 = <<$col1>>