Forum: Ruby on Rails finder_sql and sql injection ?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Rick S. (Guest)
on 2007-04-06 05:27
(Received via mailing list)
The example from the api for has_many looks like:

has_many :subscribers, :class_name => "Person", :finder_sql =>
      'SELECT DISTINCT people.* ' +
      'FROM people p, post_subscriptions ps ' +
      'WHERE ps.post_id = #{id} AND ps.person_id = p.id ' +
      'ORDER BY p.first_name'

Notice the interpolation: #{id}

Is this escaped, or is it vulnerable to sql injection?  Is there a
syntax that allows something like
   WHERE ps.post_id = ?
If so, what is it?  My attempts so far don't work.
Philip H. (Guest)
on 2007-04-06 05:56
(Received via mailing list)
> Is this escaped, or is it vulnerable to sql injection?  Is there a
> syntax that allows something like
>   WHERE ps.post_id = ?
> If so, what is it?  My attempts so far don't work.

Don't know, but at a minimum you could change it to #{id.to_i} to force
it
to return an integer value...
nathaniel (Guest)
on 2007-04-06 06:11
Rick S. wrote:
> Notice the interpolation: #{id}
>
> Is this escaped, or is it vulnerable to sql injection?

It's vulnerable to sql injection if the value of 'id' could be provided
(i.e. corrupted) by the user.

> Is there a syntax that allows something like
>    WHERE ps.post_id = ?

Agile Web D. with Rails includes the following example (p306):

Order.find_by_sql(["select * from orders where amount > ?",
params[:amount]])

Nat
This topic is locked and can not be replied to.