Fork me on GitHub
#honeysql
<
2022-06-07
>
slipset17:06:54

Given a fn like

(defn- delete-resource [store key]
  (-> (hh/update :plugin_store)
      (hh/set {:keys [:raw (str "keys - '" (sanitize-key key) "'")]})
      (hh/where [:= :_id (core/id store)])
      (honey/format {:quoted true})))
I can do the following
(jdbc/execute-one! ds (delete-resource {:id "lol"} "'; drop table plugin_store -- k" ))
And my table is gone 😕 What would be a safer way to do what I’m trying to achieve here, that is unsetting the attribute key on keys I could of course write a better sanitize-key but I’d really love to get this as a prepared statement of some sort.

kolstae19:06:59

Wouldn't that be

(-> (hh/update :plugin_store)
    (hh/set {:keys [:- :keys "key"]})
    (hh/where [:= :_id "abc"])
    (honey.sql/format {:quoted true}))
=> ["UPDATE \"plugin_store\" SET \"keys\" = \"keys\" - ? WHERE \"_id\" = ?" "key" "abc"]

slipset19:06:10

It just very well would.

slipset17:06:50

That is for Postgres btw