Security: Make it clearer that you really need :quoted true to avoid injection via table/column names #422
Assignees
Labels
documentation
I need to write something up!
Comments
|
Suggestion: auto-quote suspicious looking entities unless |
|
Updated PR #424 with a first pass on documentation as well as the auto-quoting of "unusual" entities. |
seancorfield
added a commit
that referenced
this issue
Sep 4, 2022
|
Closing as documented sufficiently for release. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you have a dialect set as the default,
:quoted falseis the default and if you pass through user input as keywords (or symbols) for table/column/function names etc, those could be used to produce malicious SQL.Also, make it clear that using arbitrary strings as aliases would also allow that.
The text was updated successfully, but these errors were encountered: