DevGroup-ru/yii2-arangodb

[Insight] Database queries should use parameter binding - in Query.php, line 795

bethrezen opened this issue · 1 comments

bethrezen commented

in Query.php, line 795

If provided by the user, the value of $collection may allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.

     * @param $columns
     * @return string
     */
    protected function buildUpdate($collection, $columns)
    {
        return 'UPDATE ' . $collection . ' WITH '
            . Serializer::encode($columns) . ' IN '
            . $this->quoteCollectionName($collection);
    }

    /**

Posted from SensioLabsInsight

evgen-d commented

collection is not provided by the user