The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.
---
Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/48326708-filtering-arguments-in-update-where-clause-for-sql-injection-protection?utm_campaign=plugin&utm_content=tracker%2F1042667&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F1042667&utm_medium=issues&utm_source=github).
The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.