We’ve been seeing some queries against our Rails website which include
the “\000” character in some string params. I don’t know if these are
malicious or not, but Postgres does not like them at all, and
ActiveRecord does not help us by escaping this character.
It’s easy to repro:
ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted
string at or near “’” at character 50
: SELECT * FROM accounts WHERE (accounts.“login” = ‘’ ) LIMIT 1
It seems that somewhere in the chain, either ActiveRecord or the
Postgres connection code should either strip or escape the \000
This is pretty difficult problem to google against, but it seems
unlikely we’re the only ones with this issue. Anyone?
We’re on Edge Rails revision 4798 and PostgreSQL 8.1.6.