wennan.he
02/20/2023, 4:58 AMLucas Rodriguez
02/20/2023, 4:09 PMwennan.he
02/20/2023, 5:32 PMLucas Rodriguez
02/20/2023, 6:14 PMThedoes its job and the backticks ensure that the whole string is considered as a column name (or table name if in front ofsanitizeColumn
), even if it matches a keyword. But if they can think of a way this is unsafe, by all means we'd be happy to learn about it and implement the required fix!.
wennan.he
02/22/2023, 7:35 PMLucas Rodriguez
02/22/2023, 7:41 PMi think put the unexpected content into SQL execute process after sanitize is still not safe or good enoughCan you share a sample with us so that we can fix it?
returning msg has risk to expose mysql err code through API, this is not a good practice, could you consider it?Makes sense. Could you open a Github issue (with a sample error would really help us)?