Forum: Ruby on Rails is Client.find(params[:id]) safe?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
73606b1d1042de19056f3d59492b652f?d=identicon&s=25 Charlie Bowman (beachguy82)
on 2006-01-26 16:19

@client = Client.find(params[:id])

I use the above line in alot of scripts because it is shown this way in
the Rails book.  Is this safe.  Does it use placeholders? Will it leave
me open to an SQL injection attack?
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2006-01-26 16:29
(Received via mailing list)
You're safe with any of the automatically generated find methods.  The
only time you need to worry is when you're using any SQL, such as when
you call find_by_sql, or you pass :conditions.  Refer to pp 213-214 of
the Rails book for more info, and I'm sure the API docs covers it as
well.
F15fdc7cb2e911b3808837f2be244add?d=identicon&s=25 Adam Denenberg (Guest)
on 2006-01-26 16:29
(Received via mailing list)
it depends what you are trying to do.  For example if you are doing a
messaging page you probably want to do something along the lines of

  @message = Message.find(@params[:id], :conditions => ["user_id =
?",@session[:user_id]])

 to prevent just any person from going to
http://yoursite.com/message/show/30

 However if you have a shopping site, then you would obviously want
anybody to see the product with your find.  So it depends on the app
and if you need to add some additional logic to the find.

 All in all though find(@params[:id]) should be safe generally speaking.

adam
42172acdf3c6046f84d644cb0b94642c?d=identicon&s=25 Pat Maddox (pergesu)
on 2006-01-26 16:39
(Received via mailing list)
On 1/26/06, Adam Denenberg <straightflush@gmail.com> wrote:
> it depends what you are trying to do.  For example if you are doing a
> messaging page you probably want to do something along the lines of
>
>   @message = Message.find(@params[:id], :conditions => ["user_id =
> ?",@session[:user_id]])
>
>  to prevent just any person from going to http://yoursite.com/message/show/30

I prefer to do
@message = session[:user].messages.find(params[:id])

That ends up generating the same exact SQL obviously, but I think it's
a good habit to take advantage of the rich model whenever possible.  I
find I generally think more clearly, leading to better code, and I get
the benefit of somewhat hidden security features.


>
>  However if you have a shopping site, then you would obviously want
> anybody to see the product with your find.  So it depends on the app
> and if you need to add some additional logic to the find.
>
>  All in all though find(@params[:id]) should be safe generally speaking.

Sounded to me like he was simply asking about SQL injection type
stuff, in which case it's perfectly safe.
73606b1d1042de19056f3d59492b652f?d=identicon&s=25 Charlie Bowman (beachguy82)
on 2006-01-26 17:10
Yes, I was just wondering about sql injection.  Thanks for the info!

> Sounded to me like he was simply asking about SQL injection type
> stuff, in which case it's perfectly safe.
This topic is locked and can not be replied to.