Skip to content

SQL injection in Channel.fromNameAndProtocol #1339

Description

@nigredo-tori

Here it is. It's already marked with a TODO comment, but this definitely deserves an issue.

The obvious way is to build a Command[String] using interpolation and work with that. However, that would require we prepare the statement before execution, which, I assume, is slower that what we have now. The alternative is manually escaping the string.

UPD: Interpolation doesn't seem possible, unless we move macros to a separate compilation unit. It's possible to do that without affecting resulting artifacts, but for this issue it's enough to just manually write out a Command with a placeholder.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions