Created
June 1, 2015 14:56
-
-
Save johnpmitsch/5ef3f2cc0b8860765767 to your computer and use it in GitHub Desktop.
sql injections
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This query works, | |
Model.where("major #{operator} :major OR (major = :major AND minor #{operator} :minor)", :major => major, :minor => minor) | |
but I am worried about sql injection passing an escaped string | |
so I tried this | |
`Model.where("major :operator :major OR (major = :major AND minor :operator :minor)", :major => major, :minor => minor, :operator => :operator)` | |
which will throw an error | |
`ERROR: syntax error at or near "1" | |
LINE 1: ...o_content_view_versions" WHERE (major '=' 1 OR (majo... | |
` | |
it has an issue with = or > as a string |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment