Hello, I have read the Ecto query and I see this line:
You should be very careful when allowing user sent data to be used as part of LIKE query, since they allow to perform LIKE-injections.
and Im afraid of this line because I don’t know Postgress without Ecto and how can I preventLIKE-injections
, Do I need to sanitize the like input like use regex? or my sample code doesn’t need anything and it is right?
my code:
def search_codes(sub_brand_id, pagenumber, search_term) do
search_string = "%#{search_term}%"
query = from u in ErrorSchema,
join: c in assoc(u, :error_brands),
join: j in assoc(u, :error_sub_brands),
join: g in assoc(u, :error_categories),
where: u.status == true,
where: u.sub_brand_id == ^sub_brand_id,
where: ilike(u.title, ^search_string),
or_where: ilike(u.error_code, ^search_string),
order_by: [desc: u.inserted_at],
select: %{
id: u.id,
title: u.title,
short_description: u.short_description,
seo_alias_link: u.seo_alias_link,
brand_image: c.image,
brand_title: c.title,
brand_id: c.id,
category_title: g.title,
category_id: g.id,
model_title: j.title,
model_id: j.id
}
Repo.paginate(query, %{page: pagenumber, page_size: 20})
end