search

malteseunderdog / fielderic

open source system for social sports participation
http://www.fielderic.com
GNU General Public License v3.0
3 stars 1 forks source link

SQLinjection risk !!! #23

Closed malteseunderdog closed 12 years ago

malteseunderdog commented 12 years ago

The controllers should never use the form 

Client.first(:conditions => "name LIKE '%#{params[:name]}%'")

as this is dangerous, and opens up to sqlinjection attack. Rather this form should be prefered:

Client.first(:conditions => ["orders_count = ?", params[:orders]])

Please read here for details

malteseunderdog commented 12 years ago

For an example, look at match.rb in models

michaelcamilleri commented 12 years ago

fixed

malteseunderdog commented 12 years ago

Same thing in player model ...

michaelcamilleri commented 12 years ago

removed from player too