jeudi 22 octobre 2015

Is this code snippet from Rails vulnerable to sqli ? if so what is the payload

Am used to working with PHP and Prepared statement, now when i was looking at the following piece of code from rails ( since i a new to rails and Not sure about the syntax and stuff ) , i was wondering if the code is prone to SQLI injection

Code snippet (controller ) , param q is the value from a search box :

def index
    query = %w(% %).join params[:q].to_s.gsub('%', '\\%').gsub('_', '\\_')
    @posts = Post.where("name LIKE ? OR body LIKE ?", query, query).order(params[:order])
  end

Thanks

Aucun commentaire:

Enregistrer un commentaire