Do I need to do mysql_escape_string and how?

In my rails apps do I need to do mysql_escape and if so what functions
are around to be able to do this?

is possible a sql injection when a model object is saved/created?
for example a user which has a nick, is it possible to escape mysql
using nick and '?

paul wrote:

In my rails apps do I need to do mysql_escape and if so what functions
are around to be able to do this?

Let Rails take care of all such mundane things for you. Either assign
your
string, as string data, to a member of an ActiveRecord-derived object,
or
use your string in a find() using a parameter substitution system, like
:conditions => [‘foo = ?’, my_foo].

I suspect Rails will either correctly escape things, or will use the
underlying Database’s parameterized query system.

All you need to do is remember never to put a tainted string directly
into a
fragment of an SQL statement. Never say, for example, :conditions =>
“foo =
‘#{my_foo}’”, because now you are vulnerable to SQL-insertion attacks.
Rails
cannot help a string with #{} in it, because that expands at Ruby time
before Rails sees the string.


Phlip
http://www.greencheese.us/ZeekLand <-- NOT a blog!!!

yeah that is the problem, I am generating the conditions statment in a
string, which could be a security problem, I was wondering if there is a
way to manually escape these fields whilst creating the conditions
string?

John wrote:

is possible a sql injection when a model object is saved/created?
for example a user which has a nick, is it possible to escape mysql
using nick and '?

I am not sure about the data written to the database on save, but I
would be very surprised if it does not sanitize it.

Data read back will always be safe as long as you don’t insert strings
directly (as Phlip demonstrates). See
http://manuals.rubyonrails.com/read/chapter/43.

paul wrote:

yeah that is the problem, I am generating the conditions statment in a
string, which could be a security problem, I was wondering if there is a
way to manually escape these fields whilst creating the conditions
string?

:conditions => [" foo = ?", bar]

Always use at least the ? notation, This matches the raw database
technique of parameterized queries. It escapes.


Phlip
http://c2.com/cgi/wiki?ZeekLand <-- NOT a blog!!

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs