SQL Injection in Filter example

Question

evan-duncan opened this issue 5 years ago · 1 comments

The wiki page for filters includes examples that will open up users to SQL injection.

# easy use case:
filter(:name, :string) { |value| where("name ilike '%#{value}%'") }

You should update all example queries that are not properly sanitizing inputs so users less familiar with active record won't do bad things.

# easy use case:
filter(:name, :string) { |value| where("name ilike ?", "%#{value}%") }

Answer 1 · 2019-08-12T15:03:13.000Z

Good suggestion, btw, you can update that too.