Displaying 1 result from an estimated 1 matches for "raw_sql".
Did you mean:
raw_sql_
2011 Nov 22
4
A "strict Arel" mode for ActiveRecord to prevent SQL injection vulnerabilities
...s an experiment, I tried the following monkey patch (which obviously is
missing the registration mechanism; and the whitelisting of
Arel/ActiveRecord-internal SQL literals):
$ cat vendor/plugins/strict_arel/lib/strict_arel.rb
# StrictArel
require ''arel''
module Arel
WHITELISTED_RAW_SQL = ["\0", ''?'', ''*''] by
module Nodes
class SqlLiteral
alias_method :sqlLiteralInitialize_Do_Not_Call_This_Or_Else, :initialize
def initialize(raw_sql)
if WHITELISTED_RAW_SQL.include?(raw_sql)
sqlLiteralInitialize_Do_Not_Call_This...