diff options
| author | Teddy Wing | 2018-03-05 17:39:19 +0100 |
|---|---|---|
| committer | Johan Van Ryseghem | 2018-03-07 13:19:41 +0100 |
| commit | 7034809b7ce458c32597026d69afdf5c37db6bd4 (patch) | |
| tree | 6cf5863b2de2e84baaef12e8c673eced20dab2b5 /db/schema.rb | |
| parent | 3dea399922f40eb6afeca9f08910ab91cddeefea (diff) | |
| download | chouette-core-7034809b7ce458c32597026d69afdf5c37db6bd4.tar.bz2 | |
AutocompleteLines: Sanitize `:q` param in `LIKE` operator
Johan made a number of good points here:
> * I think this belongs in the model
> * I would rather use a named parameter here
> `.where('lines.number LIKE :q OR lines.names LIKE :q ...', q: > "%#{params[:q]}%")`
> * You should defiitely escape the params before passing it to your db.
> `sanitize_sql_like` seems like the best choice here
I wasn't thinking about sanitisation at all and just assumed the `?`s in
the prepared statement would take care of it for me. But obviously,
we're passing `%`s in the param, so users can of course do the same
thing.
Protect against this using the
`ActiveRecord::Sanitization#sanitize_sql_like` method. This is a private
class method, so in order to use it we have to call it from inside the
`Chouette::Line` model.
And of course the named parameters are a no-brainer. At the time, I had
seen that `Array` splat somewhere else in the codebase and just blindly
copied the format, forgetting that named parameters even existed.
Refs #5889
Diffstat (limited to 'db/schema.rb')
0 files changed, 0 insertions, 0 deletions