search

seancorfield / next-jdbc

A modern low-level Clojure wrapper for JDBC-based access to databases.
https://cljdoc.org/d/com.github.seancorfield/next.jdbc/
Eclipse Public License 1.0
755 stars 90 forks source link

It is possible to create SQL injections via next.jdbc.sql.builder functions #194

Closed seancorfield closed 2 years ago

seancorfield commented 2 years ago

The functions here assume keywords in hash maps are "safe" -- which is not true if they're constructed with the keyword function.

The calls to name should be replaced by a function that checks the string for "suspicious" characters (like HoneySQL does).