Closed eric-simonton-sama closed 7 years ago
Hi @eric-simonton-sama! Thanks for your concern. Sorry for long reply, I was on vacation with very limited internet access. Arguments indeed are passed directly to where
, you are right. I think clarifying that fact in README and briefly citing ActiveRecord documentation will be a nice thing to do. Would you like to make a pull request (you can edit README in-place on GitHub)?
Closing for now. PRs are welcome.
I peeked at your source and notice you pass the supplied filter argument(s) directly to active record's
where()
. ActiveRecord's documentation for where says if that is a plain string it is vulnerable to SQL injection. If that is the same for this gem (which from what I can tell, it is), may I suggest documenting that in your readme?