I’m a bit of a newbie, so I hope this isn’t an already-answered
question…
A URL of the form
http://(item)/show/25
shows the 25th “item”, but I’ve just noticed that
http://(item)/show/25hello
also displays this same item.
Q: is this a security concern, e.g. for SQL injection? Also, in the
spirit of decreasing the temptation of hackers, is there a way to
cause an error to be generated for such URLs, throughout a site?
IIRC, when you do a Model.find(param[:id]), the string is converted to
an
int via to_i. When ruby does the conversion, it grabs the 2, then the 5
and
then sees garbage and returns a 25. If you passed a string of just
letters,
the conversion would fail and you would get an exception.
Stephen G.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs