Skip to content

Tag: sql-injection

How to sanitize Arel SQL?

I have the following Arel SQL: I get SQL Injection warning when I run brakeman. I tried the following: However, I get the following error: How do I sanitize sql statement with Arel? Answer I am answering my own question. I am using Arel following the Github wiki for Ransack gem. I was doing something very similar to point #

SQL injection curiosity

Student here, just learned that in order to avoid SQL injections it’s better to use the prepare/execute duo: instead of the using: the question is: In what situations does anybody use query instead, since we have a pretty quick way to secure ourselves from SQL injections, does anybody use the query method anyway? And if so, why? Answer Virtually never;

FromSqlRaw injection EF Core 3.0

I am wondering how safe the fromSqlRaw method is. I am doing the following in my code, where the person id is a parameter from the method itself: Is this code safe to SQL injection? And is there other security vulnerabilities that I should know of when using this? Answer Use proper parametrization for your input. After clarifications in comments,

How to avoid SQL injection on query

My SQL query construction in python code is: When I run Bandit security tool, it says “Possible SQL injection vector through string-based query construction.” How do I avoid it? Answer Best practices recommend to avoid to dynamically build the query and instead use a parameterized query. But the goal is precisely to avoid what you are doing here: prevent a