Hi,
I’m doing some basic changes related to security like the ones below:
Avoiding mass assignment substituting:
@comment = @tab.comments.build[params[:comment])
With:
@comment.body = params[:comment][:body]
Avoiding SQL injection substituting:
@comment = @tab.comments.find(params[:id])
with:
@comment = @tab.comments.find(:first, :conditions =>[“id = ?”,
params[:id]])
But I am not sure if @comment = @tab.comments.find(params[:id]) is
already safe against SQL injection. Any one can clarify it?
Thanks
Hi –
On Sat, 26 Jul 2008, comopasta Gr wrote:
already safe against SQL injection. Any one can clarify it?
Let’s ask Rails:
class << ActiveRecord::Base
alias old_sanitize sanitize_sql
def sanitize_sql(*args,&block)
puts “Sanitizing #{args}”
old_sanitize(*args,&block)
end
end
=> nil
Team.find(1)
Sanitizing “teams”.“id” = 1
Sanitizing SELECT * FROM “teams” WHERE (“teams”.“id” = 1)
David
–
Rails training from David A. Black and Ruby Power and Light:
- Advancing With Rails August 18-21 Edison, NJ
- Co-taught by D.A. Black and Erik Kastner
See http://www.rubypal.com for details and updates!
yes, find(params[:id]) is safe from sql injection.
On Sat, Jul 26, 2008 at 1:27 PM, comopasta Gr <
Thank you for the replies!
Cheers.
comopasta Gr wrote:
But I am not sure if @comment = @tab.comments.find(params[:id]) is
already safe against SQL injection. Any one can clarify it?
How about you inject some SQL hanky-panky and see what happens to it?
(You can also use assert_efficient_sql to reflect the generated SELECT
statement, and examine it for the correct escapes around your fishy
:id…)
–
Phlip