rud
commented
10 years ago Oh hey, http://deveiate.org/code/pg/PG/Connection.html#method-i-exec_params is even easier to use, should you be so inclined.
Feel free to close if irrelevant.
Open rud opened 10 years ago
rud
commented
10 years ago Oh hey, http://deveiate.org/code/pg/PG/Connection.html#method-i-exec_params is even easier to use, should you be so inclined.
Feel free to close if irrelevant.
Oshuma
commented
10 years ago @rud I can imagine a system where app_config is used to store per-user config (ie, config values accepted from end users), so this could potentially be an issue. I'll investigate when I get some spare time. Thanks for submitting the issue!
rud
commented
10 years ago You're most welcome
rud
commented
9 years ago Welp, this is still open a year later. I know, life happens :cake: :v:
Seeing this: https://github.com/Oshuma/app_config/blob/6148df46ac6a2a7be047bebac61b40db988d051c/lib/app_config/storage/postgres.rb#L48-L56
I know end-user input is not expected to be stored in a configuration backend, but the code as it stands is classic SQL injection.
This might be relevant: http://deveiate.org/code/pg/PG/Connection.html#method-c-escape_string