Is Client.find(params[:id]) safe?

beachguy82 · January 26, 2006, 4:19pm

@client = Client.find(params[:id])

I use the above line in alot of scripts because it is shown this way in
the Rails book. Is this safe. Does it use placeholders? Will it leave
me open to an SQL injection attack?

beachguy82 · January 26, 2006, 4:29pm

You’re safe with any of the automatically generated find methods. The
only time you need to worry is when you’re using any SQL, such as when
you call find_by_sql, or you pass :conditions. Refer to pp 213-214 of
the Rails book for more info, and I’m sure the API docs covers it as
well.

beachguy82 · January 26, 2006, 4:39pm

On 1/26/06, Adam D. [email protected] wrote:

it depends what you are trying to do. For example if you are doing a
messaging page you probably want to do something along the lines of

@message = Message.find(@params[:id], :conditions => [“user_id =
?”,@session[:user_id]])

to prevent just any person from going to http://yoursite.com/message/show/30

I prefer to do
@message = session[:user].messages.find(params[:id])

That ends up generating the same exact SQL obviously, but I think it’s
a good habit to take advantage of the rich model whenever possible. I
find I generally think more clearly, leading to better code, and I get
the benefit of somewhat hidden security features.

However if you have a shopping site, then you would obviously want
anybody to see the product with your find. So it depends on the app
and if you need to add some additional logic to the find.

All in all though find(@params[:id]) should be safe generally speaking.

Sounded to me like he was simply asking about SQL injection type
stuff, in which case it’s perfectly safe.

beachguy82 · January 26, 2006, 4:29pm

it depends what you are trying to do. For example if you are doing a
messaging page you probably want to do something along the lines of

@message = Message.find(@params[:id], :conditions => [“user_id =
?”,@session[:user_id]])

to prevent just any person from going to
http://yoursite.com/message/show/30

However if you have a shopping site, then you would obviously want
anybody to see the product with your find. So it depends on the app
and if you need to add some additional logic to the find.

All in all though find(@params[:id]) should be safe generally speaking.

adam

beachguy82 · January 26, 2006, 5:10pm

Yes, I was just wondering about sql injection. Thanks for the info!

Sounded to me like he was simply asking about SQL injection type
stuff, in which case it’s perfectly safe.