Remove injection into SQL statement
wsargent opened this issue · comments
Will Sargent commented
def list(page: Int, orderBy: Int, filter: String) = Action.async { implicit request =>
computerService.list(page = page, orderBy = orderBy, filter = ("%" + filter + "%")).map { page =>
Ok(html.list(page, orderBy, filter))
}
}
https://github.com/playframework/play-scala-anorm-example/blob/2.6.x/conf/routes#L9
GET /computers controllers.HomeController.list(p:Int ?= 0, s:Int ?= 2, f ?= "")
means that you can inject your own filter by using an "f" query parameter.
Will Sargent commented
Filter is not added directly, but is provided in a parameter: