SQL Injection in Filter example

bogdan / datagrid

Gem to create tables grids with sortable columns and filters

MIT License

1.02k stars 115 forks source link

Closed evan-duncan closed 5 years ago

evan-duncan commented 5 years ago

The wiki page for filters includes examples that will open up users to SQL injection.

# easy use case:
filter(:name, :string) { |value| where("name ilike '%#{value}%'") }

You should update all example queries that are not properly sanitizing inputs so users less familiar with active record won't do bad things.

# easy use case:
filter(:name, :string) { |value| where("name ilike ?", "%#{value}%") }

bogdan commented 5 years ago

Good suggestion, btw, you can update that too.