Created
December 1, 2016 02:08
-
-
Save sillypog/630877eb663efcf47f063217b19cd3d3 to your computer and use it in GitHub Desktop.
Fragment SQL injection warning
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| iex(3)> where_string = "device_id = AAA OR login_id = 123" | |
| "device_id = AAA OR login_id = 123" | |
| iex(4)> query = from u in Portmeirion.User, limit: 1, select: %{warehouse_id: u.warehouse_id}, where: fragment(^where_string) | |
| ** (ArgumentError) to prevent sql injection, only a keyword list may be interpolated as the first argument to `fragment/1` with the `^` operator, got `"device_id = AAA OR login_id = 123"` | |
| (ecto) lib/ecto/query/builder.ex:512: Ecto.Query.Builder.keyword!/1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment