I believe the SQL sanitation happens when you use a positional variable ? rather than the (more obvious) direct string interpolation:
?
@users = User.where("email ILIKE \"%#{params[:email]}%\"").order(created_at: :desc) # unsafe/unsanitized
A little unsure on how/where that's happening, but it might be happening in the calls to sanitize_sql in build_where_clause and related query builder steps apidock.com/rails/v6.1.3.1/ActiveR...
sanitize_sql
It's documented in the security guide, guides.rubyonrails.org/security.ht... and in the query guide guides.rubyonrails.org/active_reco... and the "don't build strings yourself" bad example is more or less the same as above.
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I believe the SQL sanitation happens when you use a positional variable
?
rather than the (more obvious) direct string interpolation:A little unsure on how/where that's happening, but it might be happening in the calls to
sanitize_sql
in build_where_clause and related query builder steps apidock.com/rails/v6.1.3.1/ActiveR...It's documented in the security guide, guides.rubyonrails.org/security.ht... and in the query guide guides.rubyonrails.org/active_reco... and the "don't build strings yourself" bad example is more or less the same as above.