Can I get Ecto to log raw SQL?
I am building an Ecto query like this:
from item in query,
where: like(item.description, ^\"%#{text}%\")
I\'m concerned that this allows S
-
Yes, that is the exact SQL that is being executed by Ecto (it uses prepared queries through the db_connection package internally) and no SQL injection is possible in that code. This can be verified by turning on logging of all executed SQL queries by changing
log_statementtoallinpostgresql.conf:... log_statement = 'all' ...and then restarting PostgreSQL and running a query. For the following queries:
Repo.get(Post, 1) Repo.get(Post, 2)this is logged:
LOG: execute ecto_818: SELECT p0."id", p0."title", p0."user_id", p0."inserted_at", p0."updated_at" FROM "posts" AS p0 WHERE (p0."id" = $1) DETAIL: parameters: $1 = '1' LOG: execute ecto_818: SELECT p0."id", p0."title", p0."user_id", p0."inserted_at", p0."updated_at" FROM "posts" AS p0 WHERE (p0."id" = $1) DETAIL: parameters: $1 = '2'
加载中...
- 热议问题