apotomo
apotomo copied to clipboard
SQL injection security hole in the documentation example code
Hi,
Sorry for the hair-splitting, I know that it's just an example, but just in case someone copies it, would you consider changing items = Tweet.find(:all, :conditions => "text LIKE '%#{param(:term)}%'"). to something like items = Tweet.find(:all, :conditions => ["text LIKE '%' || ? || '%'", param(:term)]). or maybe items = Tweet.where("text LIKE ?", "%#{param(:term)}%"). on http://apotomo.de/peters-guide-1.1/autocomplete.html in line 9 of app/cells/quick_search.rb because its a security hole.
Cheers, Bernát
p.s. Apotomo is awsome. It solved nearly all problems I currently had with rails. Many thanks :)
Hi Bernát,
ouch! I'll fix that in the next screencast. Thanks man!
You're very welcome :) I'm glad to have helped a bit
oops cliked the wrong button:)