Hi Jeremy,
Thanks for the tip. But the thing is if I do that, ".*#{query}.*" becomes
'.*#{query}.*'. Single quote instead of double quote. This is not a valid
SQL. It should be double quoted.
I will try to figure it out but let me know if you have any recommendation
for double quote.
Thank you,
-Den.
On Saturday, April 25, 2020 at 9:46:44 AM UTC+3, Jeremy Evans wrote:
>
> On Friday, April 24, 2020 at 4:58:08 PM UTC-7, Dennis O'Connell wrote:
>>
>> Hey Jeremy,
>>
>> Thanks for the help! One slight problem here.
>>
>> First of all, i couldn't do it with your first option. Secondly, the
>> example you gave generates:
>>
>> select *
>> from members t
>> where data ? '$.alternate_emails[*] ? (@ like_regex ".
>> **'query_param_here_notice_quotes.*")'*
>>
>> As you can see, lets say i give 'test' to query. instead of .*test.*, it
>> becomes .*'test'.*. Attention to the quotes before and after test. This
>> causes an error. If I use *Sequel.lit(query)* here, will this create
>> SQL injection possibility?
>>
>
> Definitely. You would probably want to use "like_regex ?" and use
> ".*#{query}.*" as the placeholder value. Of course, allowing arbitrary
> regexp metacharacters to be specified by the attacker seems like a bad idea
> from a security perspective too, even if not as bad as SQL injection.
>
> Thanks,
> Jeremy
>
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/sequel-talk/cc284619-11e8-48ef-b052-60106a5df7f3%40googlegroups.com.
