You're the one calling people names. The guy who wrote the fix that was actually accepted by the Rails core team called this a "SQL Injection" and it has been filed in that category by numerous independent bug trackers.
I don't quite understand the angst about this defect being called a SQL injection vulnerability. The vector for the attack doesn't change the end result.
The cause might be that the API was broken, but it doesn't change the fact that a guy wrote SQL code that was injected into the middle of the rest of the SQL generated by the ORM.
I don't quite understand the angst about this defect being called a SQL injection vulnerability. The vector for the attack doesn't change the end result.
The cause might be that the API was broken, but it doesn't change the fact that a guy wrote SQL code that was injected into the middle of the rest of the SQL generated by the ORM.