Fix: sql injection search page

hpi-swt2 / bookkeeper-portal-blue

Bookkeeper Portal — 🟦 Edition

MIT License

15 stars 0 forks source link

Fix: sql injection search page #328

Closed antonykamp closed 1 year ago

antonykamp commented 1 year ago

Fixes #169

Fixes SQL injection on search page by replacing where clauses with active records.

PR checklist

[x] dev-branch has been merged into local branch to resolve conflicts
[x] tests and linter have passed AFTER local merge
[x] localization is supported (Guide)
[x] another dev reviewed and approved
[x] if feature-Branch: Teams PO has approved (show via e.g. screenshots/screencapture/live demo)

LucasDerReisende commented 1 year ago

@antonykamp @SaturnHafen Can you provide me with an example case, where I can see, that it now works or some context. Thank you :)

antonykamp commented 1 year ago

Of course :) These are the results of the sql injection examined by richard:

(not good :()

With the proposed changes, we have the following results:

LucasDerReisende commented 1 year ago

Of course :) These are the results of the sql injection examined by richard:

(not good :()

With the proposed changes, we have the following results:

Thank you very much :)

CR1337 commented 1 year ago

Shouldn't @rgwohlbold review this as he found this bug #169 ?

antonykamp commented 1 year ago

Good point @CR1337, I'll ask him 😇