Remove injection into SQL statement

Question

Remove injection into SQL statement

wsargent opened this issue 7 years ago · comments

https://github.com/playframework/play-scala-anorm-example/blob/2.6.x/app/controllers/HomeController.scala#L57

  def list(page: Int, orderBy: Int, filter: String) = Action.async { implicit request =>
    computerService.list(page = page, orderBy = orderBy, filter = ("%" + filter + "%")).map { page =>
      Ok(html.list(page, orderBy, filter))
    }
  }

https://github.com/playframework/play-scala-anorm-example/blob/2.6.x/conf/routes#L9

GET     /computers                  controllers.HomeController.list(p:Int ?= 0, s:Int ?= 2, f ?= "")

means that you can inject your own filter by using an "f" query parameter.

Will Sargent · Answer 1 · Thu Jul 20 2017 07:28:19 GMT+0800 (China Standard Time)

Filter is not added directly, but is provided in a parameter:

https://github.com/playframework/play-scala-anorm-example/blob/2.6.x/app/models/ComputerRepository.scala#L102