Open rud opened 10 years ago
Oh hey, http://deveiate.org/code/pg/PG/Connection.html#method-i-exec_params is even easier to use, should you be so inclined.
Feel free to close if irrelevant.
@rud I can imagine a system where app_config is used to store per-user config (ie, config values accepted from end users), so this could potentially be an issue. I'll investigate when I get some spare time. Thanks for submitting the issue!
You're most welcome
Welp, this is still open a year later. I know, life happens :cake: :v:
Seeing this: https://github.com/Oshuma/app_config/blob/6148df46ac6a2a7be047bebac61b40db988d051c/lib/app_config/storage/postgres.rb#L48-L56
I know end-user input is not expected to be stored in a configuration backend, but the code as it stands is classic SQL injection.
This might be relevant: http://deveiate.org/code/pg/PG/Connection.html#method-c-escape_string