PostgresCollection implementation is vulnerable to SQLi
avinashkolluru opened this issue · 1 comments
avinashkolluru commented
See the method parseQueryForNonCompositeFilter here -
We seem to be appending strings to create a SQL statement instead of creating a parameterized query using ? and later setting the corresponding arguments while querying.
This is prone to SQL injection.