prust
commented
7 years ago @Suor: Due to security concerns? Maybe along with a mention of SQL injection attacks and a link to https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements ?
Closed Suor closed 7 years ago
prust
commented
7 years ago @Suor: Due to security concerns? Maybe along with a mention of SQL injection attacks and a link to https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements ?
Suor
commented
7 years ago Yes, and not only security. People came to me with issues several times when database was not understanding query stringification.
In one case it was even custom type that just db library understands by it's own hooks.
27 окт. 2016 г. 22:23 пользователь "Peter Rust" notifications@github.com написал:
@Suor https://github.com/Suor: Due to security concerns? Maybe along with a mention of SQL injection attacks and a link to https://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements ?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/CSNW/sql-bricks/issues/90#issuecomment-256673923, or mute the thread https://github.com/notifications/unsubscribe-auth/AARVx6HLTWjp68OZ_X1YHYVG-2jqvXJRks5q4MIGgaJpZM4Kh7r2 .
prust
commented
7 years ago @Suor: I see, good to know. I can add something to the "Use" sections on the readme & the docs, as well as a mention in the .toString() & .toParams() documentation.
Suor
commented
7 years ago Thanks.
prust
commented
7 years ago Thanks for encouraging me to do this @Suor, addressed in b38c07b.
Or even suggest that
.toString()is for debugging purposes only as values are not escaped by actual backend.