Forum: Ruby on Rails finder_sql and sql injection ?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
0c51049fb747cd60088e4878458e05d1?d=identicon&s=25 Rick Schumeyer (Guest)
on 2007-04-06 03:27
(Received via mailing list)
The example from the api for has_many looks like:

has_many :subscribers, :class_name => "Person", :finder_sql =>
      'SELECT DISTINCT people.* ' +
      'FROM people p, post_subscriptions ps ' +
      'WHERE ps.post_id = #{id} AND ps.person_id = p.id ' +
      'ORDER BY p.first_name'

Notice the interpolation: #{id}

Is this escaped, or is it vulnerable to sql injection?  Is there a
syntax that allows something like
   WHERE ps.post_id = ?
If so, what is it?  My attempts so far don't work.
2f9a03aa0fcfe945229cb6126eda2cb2?d=identicon&s=25 Philip Hallstrom (Guest)
on 2007-04-06 03:56
(Received via mailing list)
> Is this escaped, or is it vulnerable to sql injection?  Is there a
> syntax that allows something like
>   WHERE ps.post_id = ?
> If so, what is it?  My attempts so far don't work.

Don't know, but at a minimum you could change it to #{id.to_i} to force
it
to return an integer value...
8a3abcfeae74fa0ea68bb23ef0501511?d=identicon&s=25 nathaniel (Guest)
on 2007-04-06 04:11
Rick Schumeyer wrote:
> Notice the interpolation: #{id}
>
> Is this escaped, or is it vulnerable to sql injection?

It's vulnerable to sql injection if the value of 'id' could be provided
(i.e. corrupted) by the user.

> Is there a syntax that allows something like
>    WHERE ps.post_id = ?

Agile Web Development with Rails includes the following example (p306):

Order.find_by_sql(["select * from orders where amount > ?",
params[:amount]])

Nat
This topic is locked and can not be replied to.