Finder_sql and sql injection?


#1

The example from the api for has_many looks like:

has_many :subscribers, :class_name => “Person”, :finder_sql =>
'SELECT DISTINCT people.* ’ +
'FROM people p, post_subscriptions ps ’ +
'WHERE ps.post_id = #{id} AND ps.person_id = p.id ’ +
‘ORDER BY p.first_name’

Notice the interpolation: #{id}

Is this escaped, or is it vulnerable to sql injection? Is there a
syntax that allows something like
WHERE ps.post_id = ?
If so, what is it? My attempts so far don’t work.


#2

Is this escaped, or is it vulnerable to sql injection? Is there a
syntax that allows something like
WHERE ps.post_id = ?
If so, what is it? My attempts so far don’t work.

Don’t know, but at a minimum you could change it to #{id.to_i} to force
it
to return an integer value…


#3

Rick S. wrote:

Notice the interpolation: #{id}

Is this escaped, or is it vulnerable to sql injection?

It’s vulnerable to sql injection if the value of ‘id’ could be provided
(i.e. corrupted) by the user.

Is there a syntax that allows something like
WHERE ps.post_id = ?

Agile Web D. with Rails includes the following example (p306):

Order.find_by_sql([“select * from orders where amount > ?”,
params[:amount]])

Nat