apotomo icon indicating copy to clipboard operation
apotomo copied to clipboard

Published 20 hours ago verified publisher icon apotonick

SQL injection security hole in the documentation example code

Open cie opened this issue 13 years ago • 3 comments

Hi,

Sorry for the hair-splitting, I know that it's just an example, but just in case someone copies it, would you consider changing items = Tweet.find(:all, :conditions => "text LIKE '%#{param(:term)}%'"). to something like items = Tweet.find(:all, :conditions => ["text LIKE '%' || ? || '%'", param(:term)]). or maybe items = Tweet.where("text LIKE ?", "%#{param(:term)}%"). on http://apotomo.de/peters-guide-1.1/autocomplete.html in line 9 of app/cells/quick_search.rb because its a security hole.

Cheers, Bernát

p.s. Apotomo is awsome. It solved nearly all problems I currently had with rails. Many thanks :)

cie avatar Jul 18 '11 12:07 cie

Hi Bernát,

ouch! I'll fix that in the next screencast. Thanks man!

apotonick avatar Jul 19 '11 10:07 apotonick

You're very welcome :) I'm glad to have helped a bit

cie avatar Jul 20 '11 11:07 cie

oops cliked the wrong button:)

cie avatar Jul 20 '11 11:07 cie