Validating the whole app against dangerous characters

Hi,

i was wondering if someone could help me out in figuring out what i
should do with the following issue:

i’d like to secure my rails app so that no one can sign up to my site
using dangerous characters so i put in my User model a

validates_format_of :name, :with => /^[^][*^}{%&$><|/.’"]+$/,
:message => ‘you
cant do this, no u cant’

which works like a charm. (can’t save any of the ] [ * ^ } { % & $ > < |
\ / . ’ "
characters)

question is, is there any way to apply this regex validation to EVERY
aspect of my site that has a connection to my database. (i.e to alter
Base::save properties?/validations? or do something else i am not aware
of)?

?

MANY MANY thanks for indulging me in this interesting information…
much appreciated,

harp

Hi Harp,

Not an expert so take this with a very large pinch of salt.

If your underlying requirement is to stop SQL Injection type attacks
then Ruby by default protects you in many cases.

Code such as User.Find(:parms[id]) would be safe as find would escape
the string making it safe.

If you construct SQL code on the fly such as

“Select * from user where name = #{@user.name}”

then its not safe and you should use the bind variable facility which
is something like

"Select * from user where name = :user_name’, {:user_name =>
params[:name] }

Otherwise look into filters. It would be possible to use these I think
but I am not sure if one can do a before_find filter.

As I say large dose of salt as I am pretty new to this.

Also it would be an idea to get a copy of Agile Web D. with
Rails the second edition which is available in PDF form only as it is
still in prerelease form it covers these topics. The second edition of
this book is much better than the first (not that that was bad).

Regards

Sean

On 11/7/06, harp [email protected] wrote:

:message => ‘you
cant do this, no u cant’

Isn’t this not covered by the ‘h()’ method? Which scrubs exploit code
like XSS & SQL injection from your inputs?

And shouldn’t this really be done in the view not the model?

Isn’t this not covered by the ‘h()’ method? Which scrubs exploit code
like XSS & SQL injection from your inputs?

And shouldn’t this really be done in the view not the model?

ok…

i may just as well not really know enough about security in rails so
this thread may be somewhat of a redundant one; but this is my case in a
little further detail:

i have a login/signup page, where new users enlist. if someone signed up
with a user name such as

              a%simple;usena{me

(with the %;{ dangerous characters)
the name would be saved. (exactly as “a%simple;usena{me”)

so i pass a validate_format method for the User class to stop Base::save
so that there characters cannot be written into the sql table. (no user
can have there dangerous characters as a name, password, or any other
attribute they have)

problem is, i can’t really get that to work (i.e, not for the whole
class, but only for the methods i state in validate_format_of
:attribute) - - i can only validate this for specific attributes.

is there any way to validate a whole class? (so no bad characters will
be saved into the sql-table?) there must be SOMETHING like this…no?

many thanks…

harp

On 11/7/06, harp [email protected] wrote:

is there any way to validate a whole class? (so no bad characters will
be saved into the sql-table?) there must be SOMETHING like this…no?

Good question, and I don’t know the answer to it. I see where you are
coming from all right - you want the default behaviour to remove, or
generate an error on detection of dangerous characters.

However in addition to model-based validation, look into view validation
using the h() method (which purges everything silently). You wouldn’t
want to use it everywhere - like for instance in your signup code you
definately want to be messaging to the user that their login name is
unacceptable.

like for instance in your signup code you
definately want to be messaging to the user that their login name is
unacceptable.

…that’s the point; that’s why i used a Model-based
validates_format_of :login_name_foo_bar but i was hoping there was
something more general than that - something that added an error to the
object (just as in validates_whatever when it fails) to ALL cases where
Base::Save is used.

it seems to me that it shouldn’t be THAT complicated…

?

harp

ok. i may be missing something stupid, or not know enough to feel free
to ask stupid questions or whatever, but let me try and simplify the
question:

is there any way to modify the Base::save functionality so that it will
add an error to the object it is working on, if it doesn’t pass a
certain regex match.

is this possible?
SOMEONE HAS GOT TO BE OUT THERE TO AT LEAST TELL ME

“no, there isn’t.”

thanks.

harp

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs