Allowing Special Characters in Couchbase

Hi All,
One of our business requirements is to allow special characters as a part of the data which will be saved into couchbase. Is it safe to allow special characters like ’ , ‘’ , @ , () , / , * into the the database ? We are concerned about Injection and XSS.

Appreciate if any can provide some guidance on how to safely allow special characters

checkout JSON spec JSON

Thanks … not sure how this can help in couchbase . Appreciate if you could share more details

Couchbase is key value store.
key is string, value can be JSON or binary
special characters you refer will be part of string. what ever JSON spec allowed those allowed. JSON spec tells what is escape characters how to escape them.

thanks … does using namedparameters help ?

You can pass the data as parameter values, as long as they’re valid characters. Depending on how/where you’re constructing the values, the escaping rules will vary. (e.g. if using the Java SDK with string literals, then Java rules for quoting special characters in string literals apply).

e.g.

cbq> prepare p1 from select $r;
...
cbq> execute p1 using {"r":" ’ , ‘’ , @ , () , / , * \""};
...
    "results": [
    {
        "$1": " ’ , ‘’ , @ , () , / , * \""

Of course in this example JSON rules still apply - just to how the characters are provided as the parameter data.

The result from the API is JSON (note the valid escaping is still present); SDKs will typically process this for you and provide the returned data in native types.

As long as the characters are presented in valid JSON format strings to Couchbase Server, it can store/use them.
https://docs.couchbase.com/server/current/n1ql/n1ql-language-reference/datatypes.html#string-values

(Please bear in mind that Couchbase uses byte-order collation for sorting.)

1 Like

Yes, using named or positional parameters instead of putting the values directly in the query string is a good technique to protect against SQL injection.