AWS Security ChangesHomeSearch

AWS appsync high security documentation change

Service: appsync · 2025-07-07 · Security-related high

File: appsync/latest/eventapi/rds-function-reference.md

Summary

Added security-focused explanation about SQL injection protection and corrected variable reference from pathj to path

Security assessment

Explicitly mentions protection against SQL injection attacks through database engine sanitization. Corrects a potential variable name error (pathj -> path) while emphasizing secure handling of dynamic values.

Diff

diff --git a/appsync/latest/eventapi/rds-function-reference.md b/appsync/latest/eventapi/rds-function-reference.md
index 93a45d511..c9babaf06 100644
--- a//appsync/latest/eventapi/rds-function-reference.md
+++ b//appsync/latest/eventapi/rds-function-reference.md
@@ -23 +23,3 @@ The `sql` tagged template only supports passing variable values. You can't use a
-In the following example, we create a query that filters based on the value of the `col` argument that is set dynamically in the GraphQL query at run time. The value can only be added to the statement using the tag expression:
+**Filtering Database Results Securely with Dynamic Channel Paths**
+
+When building AWS AppSync applications, you often need to filter database queries based on dynamic values. This pattern shows how to safely incorporate run-time values into your SQL queries while maintaining security. In the following example, we create a query that filters based on the value of channel path that is set dynamically at run time. The value can easily be added to the statement using the tag expression.
@@ -32,2 +34 @@ In the following example, we create a query that filters based on the value of t
-    WHERE column = ${ctx.info.channel.pathj}`
-        ;
+        WHERE column = ${ctx.info.channel.path}`;
@@ -38 +39 @@ In the following example, we create a query that filters based on the value of t
-By passing all dynamic values through the variable map, we rely on the database engine to securely handle and sanitize values.
+The database engine automatically protects against SQL injection attacks by sanitizing all values passed through the variable map.