|
|
|
|
|
|
by Peaker
5112 days ago
|
|
|
If he builds the final query string before giving it to Query, his valid query parts that rely on not being escaped would also be escaped. To make a safe query type you'd have to provide non-string primitives to build one, if I understand correctly. You can't allow just a full query string (with all of the injections already in place) to be converted to a Query type (as in his Bad Programmer example). |
|
|