You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.
The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.
Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
The text was updated successfully, but these errors were encountered: