Does anyone have a suggestion for a good method to Sanitize user input
before it is used by a controller? I am aware of the sanitize method,
but it is part of ActionView and not available to my controllers.
This seems like a basic security protocol but I can’t seem to find a
good method. Thanks!
Mindtonic wrote:
Does anyone have a suggestion for a good method to Sanitize user input
before it is used by a controller? I am aware of the sanitize method,
but it is part of ActionView and not available to my controllers.
This seems like a basic security protocol but I can’t seem to find a
good method. Thanks!
depends what you want to sanitize.
ActionView is sanitizing javascript, and html entities.
ActiveRecord has methods to sanitize SQL input, to prevent injection.
work out what you want to sanitize
and stick it in application.rb “before_filter :sanitize_params”
In this case I am wanting to sanitize search queries. But I also
would like a safety net for all user generated content.
sanitize_params is a method of my own design? I am hoping to find a
framework to adapt as I am not aware of every possible thing, and I
know there are folks out there who have covered this problem.
Any suggestions?
On Sep 18, 11:10 am, Matthew R. [email protected]
Mindtonic wrote:
In this case I am wanting to sanitize search queries. But I also
would like a safety net for all user generated content.sanitize_params is a method of my own design? I am hoping to find a
framework to adapt as I am not aware of every possible thing, and I
know there are folks out there who have covered this problem.Any suggestions?
On Sep 18, 11:10 am, Matthew R. [email protected]
well… let’s take a look at how you might implement one of these
“search queries”
Model.find(:all, :conditions => [“text LIKE ?”, params[:string]])
ActiveRecord then goes and runs “sanitize_sql_array” on the supplied
array,
inserting the params in place of the “?” while ensuring that they’re
quoted safely.
Is that what you mean?
the general rule is always use the “?” replacement method with your
ActiveRecord finds.
On 9/18/07, Mindtonic [email protected] wrote:
Does anyone have a suggestion for a good method to Sanitize user input
before it is used by a controller? I am aware of the sanitize method,
but it is part of ActionView and not available to my controllers.
This seems like a basic security protocol but I can’t seem to find a
good method. Thanks!
There’s not a general-purpose solution here. Different uses of data
require different techniques. For example:
- passing to a query
- sending to a view
- sending an email
- executing a shell command
- using Ruby’s eval() method
There is no one way to “sanitize” data for all of these situations.
You have to apply the appropriate techniques to the appropriate uses.