Get subscribers by email (API) #2311
Comments
|
Hi @JonasGruenwald. SQL expressions for arbitrarily complex searches is central to listmonk, and it covers all search and filtering scenarios including searching by e-mail. This is fully exposed in the admin view, and is meant for admin functions. listmonk ensures that the expression is read-only before it's executed. The external input (e-mail string) you're receiving, please validate it before you pass it to the search API. For a future version, we can consider adding an |
|
Thanks for clarifying, I guess rather than validating then interpolating I'd really prefer to use something like a parametrized query – but I guess I can just make a query against the listmonk db myself from my application rather than using the API in that case. |
Hello, I'm looking to fetch a subscriber by email as supplied to my application by users in order to enable a list subscription for an existing user.
I saw the parameter
querydocumented here:https://listmonk.app/docs/apis/subscribers/#get-apisubscribers
But I don't understand whether interpolating an arbitrary user supplied string into that would open me up to SQL injection, could someone shed some light on that?
*Edited for brevity
The text was updated successfully, but these errors were encountered: