Hi there,
is it correct that one should always use both…
sanitize(params[:whatever_external_or_user_input_to_save_to_database]),
AND
2. h(@whatever_database_record_to_display_on_page)
…in order to have the highest security level? (Besides all the other
security stuff to do, of course)
Thanks a lot!
Tom
Tom Ha wrote:
Hi there,
is it correct that one should always use both…
sanitize(params[:whatever_external_or_user_input_to_save_to_database]),
AND
2. h(@whatever_database_record_to_display_on_page)…in order to have the highest security level?
AFAIK, sanitize should not be necessary – ActiveRecord uses
parameterized queries, which already protect against SQL injection
without further sanitization. (If you write your own SQL, your queries
should also be parameterized.). h, on the other hand, is not about
security so much as it is about keeping markup valid and correct. You
should definitely use it on anything that comes from the DB, unless
you’re deliberately storing HTML code in there.
BTW, if you use Haml (highly recommended), it has a very useful
shorthand construct for this (&= instead of h), and you can even turn on
HTML escaping as a global default.
Marnen Laibow-Koser
http://www.marnen.org
[email protected]
Great, thanks a lot!
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs