Forum: Ruby on Rails ActiveRecord::Base.sanitize_sql and SQL injection vulnerabil

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Alder G. (Guest)
on 2006-05-24 11:09
(Received via mailing list)

The PostgreSQL development group released an update[1] for PostgreSQL
to address a SQL injection vulnerability. From the infromation[2]
released with this update, it appears the vulnerability exists in
other (all?) database systems allowing multi-byte encoding of

Of particular importance - since it relates not to database issues but
to web programming practices - are these quotes from [2], instructing
developers to 'remove any non-standard string escaping mechanisms from
their applications, such as the popular "backslash-escape", or "\'",
or at least modify them to use the SQL-standard doubling ('') to
escape quotes.'

In particular, the vulenrability relates to applications that 'use
ad-hoc methods to "escape" strings going into the database, such as
regexes, or PHP3's addslashes() and magic_quotes. Since these bypass
database-specific code for safe handling of strings, many such
applications will need to be re-written to become secure.'

Since this is not my field, I'm asking here: how does the above relate
to Rails' built-in SQL sanitizing feature[3]?  Should applications
using this method be rewritten to address the multi-byte
vulnerability, and if so how?


[3] ["name='%s' and group_id='%s'", "foo'bar", 4] which I gathered
work through AR::Base.sanitize_sql
This topic is locked and can not be replied to.