New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible SQL injection vulnerability #116
Comments
Hi, I would like to be able to specify table schema name dynamically,something like this psuedocode: |
As mentioned above, it's impossible. All parameters will be converted to bind variables in SQLInterpolation.
It's the only way to meet your needs for now. |
Although I agree that the apply() method may not be the best place to put this functionality, I think it should remain somewhere in the library. One simple solution could be to create a method Here are my arguments:
|
Though my greatest fear was that unsafe API becomes a dangerous bypass for library users,
Indeed you have a point there. So I've changed my mind. Now I think adding unsafe API is reasonable. |
Maybe I'm missing something but following code doesn't work for me val tableName = "table2"
val sqlsTableName = sqls"${tableName}"`
val interpolatedSql = sql"select * from ${sqlsTableName}"
println(interpolatedSql.statement) // prints `select * from ?`
interpolatedSql.map(r => println(r)).single().apply() // Error: near "?": syntax error Version 2.3.5. Any help would be greatly appreciated, spent a lot of time trying to get any interpolation working. |
|
@seratch Thanks a lot for your fast reply. Apparently, this is actually what I should do, because I can't know the details about a database I'll work with. Mapping to classes doesn't make sense in this case. |
SQLSyntax.apply(String) is unsafe. This API should not be public.
The above code will run the following SQL.
The following case is safe. Users should use only sql"" or sqls"".
The text was updated successfully, but these errors were encountered: