On Tuesday, August 14, 2012 9:35:30 AM UTC-7, Bob wrote:
>
> Hi, I have a method with a complicated query that doesn't map very well to
> Sequel's API, so I am using a raw query with Postgres bound variables, to
> simplify it something like
>
> DB["SELECT * FROM people WHERE state = ?", "happy"]
>
> and I was curious if you could help me understand vulnerability to
> injections in this case?
>
There should be no injections in that case. Pretty much the only way to
get injections in Sequel is to do something stupid like direct
interpolation:
DB["SELECT * FROM people WHERE state = '#{"happy"}']
As long as you don't do that, you should be fine.
Also, just FYI, your code doesn't use bound variables in the SQL. If you
really want to use bound variables, see
http://sequel.rubyforge.org/rdoc/files/doc/prepared_statements_rdoc.html or
http://sequel.rubyforge.org/rdoc-plugins/files/lib/sequel/extensions/pg_auto_parameterize_rb.html
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/sequel-talk/-/X1mmjtSGs9AJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en.
