I have been notified by my boss that a large company that is using my
app is going to start and try to hack it for vulnerablilities and while
I feel that I have things pretty well secure I just wanted to inquire
about, first, what is meant when rails says the SQL statements are
‘sanatized’ when you use
find(:all, :conditions => [’…’]), and secondely, can any one point
me to some good online references that deal with XSS and SQL injection
attacks. Thanks,
-S
On 1 Aug 2008, at 15:07, Shandy N. wrote:
I have been notified by my boss that a large company that is using my
app is going to start and try to hack it for vulnerablilities and
while
I feel that I have things pretty well secure I just wanted to inquire
about, first, what is meant when rails says the SQL statements are
‘sanatized’ when you use
find(:all, :conditions => [’…’]), and secondely, can any one point
sanitized means that the parameters you plug in are escaped so that
(for example)
find :all, :conditions => [“name=?”, “bob’; delete * from users”] is
harmlessly escaped.
You should be safe from sql injection as long as you use :conditions
like this (or the has form of conditions)
If you do this
find :all, :conditions => “name=’#{params[:name]}’”
then you’re in trouble.
Fred
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs