Sanitize my params and the create method

If I call .create on the param structure, are the parameters being
passed to the create method automatically sanitized for me?

e.g. Journalentry.create(param[:journalentry])

Do I have to worry about any malicious scripting making its way into the
creation of the record?

Thanks.

On 8/22/07, Jim J. [email protected] wrote:

If I call .create on the param structure, are the parameters being
passed to the create method automatically sanitized for me?

e.g. Journalentry.create(param[:journalentry])

Do I have to worry about any malicious scripting making its way into the
creation of the record?

Yes, all values passed to create() are properly quoted for insertion
into the database, so you’re protected from SQL injection attacks.

However, they are not “sanitized” beyond that, so you need to of
course be careful when you send them back to the view to properly
escape them. This is obviously not the bailiwick of ActiveRecord…

Bob S. wrote:

Yes, all values passed to create() are properly quoted for insertion
into the database, so you’re protected from SQL injection attacks.

I have users created with User.create(params[:form]) and this is secure
(in terms of SQL injection), right? So how I should find user by email
using find with :conditions?

Create method does not escape @ sign, but :conditions => [“email = ?”,
params[:email]]) does escape, so [email protected] (inserted to DB by create
method) is something different than user%40domain (queried by find with
:conditions).

I wonder how properly create :conditions statement. Of course
User.find_by_email is secure (escapes ') and finds email since it does
not escape @, but how to create more complicated queries with
:conditions and be SQL injection safe?

Best regards,

Witold R.
http://nhw.pl/wp/ (EN blog)
http://FriendsFeedMe.com

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs