I understand that its easy for someone to do all kinds of nasty things
to a database. I am trying to work on security.
Could someone tell me if the following query is structured correctly for
security
#find matching manufacturers
def self.find_all(manufacturer="")
find(:all, :order => “name”, :conditions => [“name like ?”,
“%#{manufacturer}%”])
end
Thank you in advance
Mitchell
Mitchell G. wrote:
I understand that its easy for someone to do all kinds of nasty things
to a database. I am trying to work on security.Could someone tell me if the following query is structured correctly for
security#find matching manufacturers
def self.find_all(manufacturer="")
find(:all, :order => “name”, :conditions => [“name like ?”,
“%#{manufacturer}%”])
end
I believe so. The only user input is bound to a placeholder symbol
(’?’), which will mean that a parameterized query will be used.
Therefore, I don’t think SQL injection is possible, and I don’t see any
other problems.
By contrast, “name like %#{manufacturer}%” would be insecure.
Thank you in advance
Mitchell
Marnen Laibow-Koser
http://www.marnen.org
[email protected]
Hi
By contrast, “name like %#{manufacturer}%” would be insecure.
And I think this too is secure unless manufacture is the direct user
input from params etc
Sijo
Sijo k g wrote:
Hi
By contrast, “name like %#{manufacturer}%” would be insecure.
And I think this too is secure unless manufacture is the direct user
input from params etcSijo
Hey thanks for the feedback. manufacturer is the direct user input.
cheers
Mitch
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs