Filtering arguments in update where clause for SQL injection protection

The update method conveniently builds the SQL for an update statement, but for the 'where' clause it simply takes in a string of SQL. If I pass in a value in the where clause that came from somewhere possibly untrusted, it looks like I'd be introducing a vector for a SQL injection attack. It would be nice if the method exposed a way to pass in a parameterized clause so values could be safely handled.

<bountysource-plugin>

---
Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/48326708-filtering-arguments-in-update-where-clause-for-sql-injection-protection?utm_campaign=plugin&utm_content=tracker%2F1042667&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F1042667&utm_medium=issues&utm_source=github).
</bountysource-plugin>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Filtering arguments in update where clause for SQL injection protection #20

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Filtering arguments in update where clause for SQL injection protection #20

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions