HI guys,
I just came through an example on code of the place I work for that said
something like this could be vulnerable to sql injection attacks:
scope :with_name, lambda { |name| where(“LOWER(name) LIKE ?”,
name.downcase) }
I wonder if this is true. My thought is that rails should escape this
and
that anything that tried to do something different would fail on the
translation to SQL, but does anybody know exactly what happens behind
the
curtains?
all the best,
Andre
On Friday, 12 April 2013 07:22:24 UTC-4, [email protected] wrote:
that anything that tried to do something different would fail on the
translation to SQL, but does anybody know exactly what happens behind the
curtains?
Everything that’s inserted into placeholders (the ? above) is escaped -
so
characters like ’ will not break the SQL quoting and allow mischief.
Modern
Rails versions will even use prepared statements to do this, if your DB
adapter supports them.
Your colleague may have been thinking of the (similar but NOT SECURE)
form:
scope :with_name_plus_HAX, lambda { |name| where(“LOWER(name) LIKE
‘#{name}’”) }
Here the variable is manually interpolated, and will NOT get any
escaping.
DON’T DO THIS. 
–Matt J.
AFAIK, using the array syntax, or the syntax you used in the where IS
NOT vulnerable to injection attacks. This matches up with my experience.
You can try this out yourself to verify.
Julian
I just dont have the time right now to try this. just wanted to see if
there was any documentation the subject because I couldnt find anything
that would tell me otherwise. but thanks for your help guys
It’d take less time that replying to this email.
You should always teach yourself with micro-experiments where possible
IMHO.
Julian
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs