EugZol
commented
9 years ago Hi @eric-simonton-sama! Thanks for your concern. Sorry for long reply, I was on vacation with very limited internet access. Arguments indeed are passed directly to where, you are right. I think clarifying that fact in README and briefly citing ActiveRecord documentation will be a nice thing to do. Would you like to make a pull request (you can edit README in-place on GitHub)?
I peeked at your source and notice you pass the supplied filter argument(s) directly to active record's
where(). ActiveRecord's documentation for where says if that is a plain string it is vulnerable to SQL injection. If that is the same for this gem (which from what I can tell, it is), may I suggest documenting that in your readme?