This transformer sanitizes string values intended to be inserted into databases. It is a useful way to clean data and to guard against malicious code attacks such as SQL injection.

Parameters

String to Sanitize: This parameter defines the string to be sanitized. It can be either entered into the dialog, or derived from an attribute value.

Output Attribute: This parameter defines the attribute to hold the output (i.e. the sanitized string). It can be either a new attribute or an existing one, even the same as the incoming attribute.

Select Language: This parameter controls the query language to use. It can encode a string in either SQL or Cypher.

Example: Data Cleaning

Using the SQLExecutor, a workspace author wishes to issue the command:

select x from y where z = 'Mark's Data'

This will fail because of the apostrophe in the value being queried. The StringSanitizer can be used on Mark's Data in order to produce a SQL-valid query string.

Example: Code Injections

A workspace author accepts a string input from an end user and inserts it into the SQL:

insert into x (y) values ('z')

However, the end user is acting maliciously and enters the string:

Robert'); DROP TABLE Students;--

Without being sanitized, the value would cause Robert to be inserted into the database, and the table Students to be deleted.

Using the StringSanitizer on the input will cause it to be formatted in such a way that the malicious code would not be executed.

'Robert''); DROP TABLE Students;--'