On Friday, April 24, 2020 at 4:58:08 PM UTC-7, Dennis O'Connell wrote:
>
> Hey Jeremy,
>
> Thanks for the help! One slight problem here.
>
> First of all, i couldn't do it with your first option. Secondly, the
> example you gave generates:
>
> select *
> from members t
> where data ? '$.alternate_emails[*] ? (@ like_regex ".
> **'query_param_here_notice_quotes.*")'*
>
> As you can see, lets say i give 'test' to query. instead of .*test.*, it
> becomes .*'test'.*. Attention to the quotes before and after test. This
> causes an error. If I use *Sequel.lit(query)* here, will this create SQL
> injection possibility?
>
Definitely. You would probably want to use "like_regex ?" and use
".*#{query}.*" as the placeholder value. Of course, allowing arbitrary
regexp metacharacters to be specified by the attacker seems like a bad idea
from a security perspective too, even if not as bad as SQL injection.
Thanks,
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/sequel-talk/ba1808fc-41b8-45ae-a7ce-2079477370ef%40googlegroups.com.
