Hi,
All through my current project, I’ve been assuming that rails is
clever enough to prevent SQL injections automatically. Is this right?
If not, what’s the best way of doing it?
-Nathan
Nathan
>rails … SQL injections
> If not, what’s the best way of doing it?
Google(rails sql injection)
=> Peak Obsession
Alain
On Apr 15, 2006, at 17:57, [email protected] wrote:
Hi,
All through my current project, I’ve been assuming that rails is
clever enough to prevent SQL injections automatically. Is this right?
If not, what’s the best way of doing it?
Avoid interpolation of tainted data in SQL fragments:
# DON'T DO THIS
user = User.find(:first, :conditions => "id = #{params['id']}")
# DON'T DO THIS
Instead, use placeholders:
# SAFE
user = User.find(:first, :conditions => ['id = ?', params['id']])
or dynamic attribute-based finders (my choice):
# SAFE
user = User.find_by_id(params['id'])
– fxn
On Apr 15, 2006, at 9:12 AM, Xavier N. wrote:
user = User.find(:first, :conditions => “id = #{params[‘id’]}”)
user = User.find_by_id(params[‘id’])
Are you suggesting the standard:
user = User.find(params[‘id’]) isn’t safe?
I’m not 100% certain, but I’m pretty sure you can use the standard
find to find by id without worrying about SQL injection.
–
– Tom M.
On Apr 15, 2006, at 19:31, Tom M. wrote:
Are you suggesting the standard:
user = User.find(params[‘id’]) isn’t safe?
I’m not 100% certain, but I’m pretty sure you can use the standard
find to find by id without worrying about SQL injection.
Oh yes, I wasn’t suggesting that.
I was comparing interpolation versus the other standard idioms, but
unfortunately I chose an example for which there exists yet a more
specific idiom (which is safe as well). I’d better used for instance
“login” instead of “id” in my examples.
– fxn