Use parameterized Flux queries

InfluxDB Cloud supports parameterized Flux queries that let you dynamically change values in a query using the InfluxDB API. Parameterized queries make Flux queries more reusable and can also be used to help prevent injection attacks.

Prevent injection attacks

Use parameterized queries when executing Flux queries with untrusted user input; for example, in a web or IoT application. For more information on security and query parameterization, see the OWASP SQL Injection Prevention Cheat Sheet. While this guide is about SQL, it contains useful general advice.

The InfluxDB Cloud /api/v2/query API endpoint accepts a params field in the request body. The params field is a JSON object with key-value pairs where the key is a parameter name and the value is the parameter value. For example:

"params": {
  "ex1": "foo",
  "ex2": "bar" 
}

InfluxDB Cloud inserts the params JSON object into the Flux query as a Flux record named params. Use dot or bracket notation to access parameters in the params record in your Flux query. For example, using the example params JSON above, the following query

from(bucket: params.ex1)
    |> range(start: -1h)
    |> filter(fn: (r) => r._measurement == params.ex2)

would execute as

from(bucket: "foo")
    |> range(start: -1h)
    |> filter(fn: (r) => r._measurement == "bar")

Example

To use a parameterized query, do the following:

Create your Flux query. Use dot or bracket notation to reference parameters inside the params record to populate values at query time. The following example uses params.mybucket to define the bucket name.
```
from(bucket: params.mybucket)
    |> range(start: -7d)
    |> limit(n:2)
```

Use the InfluxDB Cloud /api/v2/query API endpoint to execute your query. Provide the following in your request body:

query: Raw Flux query to execute
params: JSON object with key-value pairs for each parameter to include in the query.

For example:

curl --request POST \
  'https://cloud2.influxdata.com/api/v2/query?orgID=<YourOrgID>' \
  --header 'authorization: Token <YourAuthToken>' \
  --header 'content-type: application/json' \
  --data '{
    "query":"from(bucket: params.mybucket) |> range(start: -7d) |> limit(n:2)",
    "params":{
      "mybucket":"telegraf"
      }
    }'

Supported parameter data types

Parameterized Flux queries support int, float, and string data types. To convert the supported data types into other Flux basic data types, use Flux type conversion functions.

For example, to define the start parameter of the range() function using a parameterized duration value:

Use the duration() function to convert the param value into a duration:

from(bucket:"example-bucket")
    |> range(start: duration(v: params.mystart))
    |> limit(n:2)

In the param field of your query request body, format the duration parameter as a string:

{
  "query": "from(bucket:\"example-bucket\") |> range(start: duration(v : params.mystart)) |> limit(n:2)",
  "params": {
    "mystart": "-7d"
  }
}

query security

Was this page helpful?

Thank you for your feedback!

Support and feedback

Thank you for being part of our community! We welcome and encourage your feedback and bug reports for InfluxDB and this documentation. To find support, use the following resources:

Customers with an annual or support contract can contact InfluxData Support.

Edit this page Submit docs issue Submit InfluxDB issue

Use parameterized Flux queries

Prevent injection attacks

Example

Supported parameter data types

Support and feedback

Select your InfluxDB Cloud region

AWS

GCP

Azure

Thank you for your feedback!

The future of Flux

InfluxDB Cloud powered by TSM