wennan.he02/20/2023, 4:58 AM
Lucas Rodriguez02/20/2023, 4:09 PM
wennan.he02/20/2023, 5:32 PM
Lucas Rodriguez02/20/2023, 6:14 PM
Thedoes its job and the backticks ensure that the whole string is considered as a column name (or table name if in front of
sanitizeColumn), even if it matches a keyword. But if they can think of a way this is unsafe, by all means we'd be happy to learn about it and implement the required fix!
wennan.he02/22/2023, 7:35 PM
Lucas Rodriguez02/22/2023, 7:41 PM
i think put the unexpected content into SQL execute process after sanitize is still not safe or good enoughCan you share a sample with us so that we can fix it?
returning msg has risk to expose mysql err code through API, this is not a good practice, could you consider it?Makes sense. Could you open a Github issue (with a sample error would really help us)?