Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Query Build custom string option for where to remove make it clear the values do not get escaped. #4892

Merged
merged 1 commit into from
Jun 30, 2021
Merged

Updated Query Build custom string option for where to remove make it clear the values do not get escaped. #4892

merged 1 commit into from
Jun 30, 2021

Conversation

lonnieezell
Copy link
Member

The current version of the user guide presents some confusion making it appear that the custom string option of the where function in the Query Builder would escape the data. That was incorrect. It appears that NO escaping is done in that case.

The user guide has been updated to make it very clear that user-supplied data MUST be escaped manually when using that option.

@lonnieezell lonnieezell requested review from MGatner and michalsn June 30, 2021 04:30
MGatner
MGatner approved these changes Jun 30, 2021
View reviewed changes
Copy link
Member

@MGatner MGatner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't confirmed your assessment, but I don't use direct query strings so I'll take your word for it. Updates look good!

@lonnieezell lonnieezell merged commit 9ceb5e3 into 4.2 Jun 30, 2021
@codeigniter4 codeigniter4 deleted a comment from mmrtonmoybd Jun 30, 2021
@MGatner
Copy link
Member

MGatner commented Jun 30, 2021

@mmrtonmoybd If you would like to repost your comment without deriding other developers you may. To be clear, this was not an issue with the code, but rather making sure developers knew: if you use the direct SQL bypass, you are responsible for handling SQL injections.

Either way, thank you for bringing it to the team's attention.

@paulbalandan paulbalandan deleted the where-string branch July 16, 2021 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MGatner MGatner MGatner approved these changes

@michalsn michalsn michalsn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lonnieezell @MGatner @michalsn