Forum: Ruby on Rails Security issue dealing with comment posting - anyone?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
1e2dd87a31c5d3e07adc9efa375f4dc4?d=identicon&s=25 rh (Guest)
on 2006-03-17 16:53
This is how I'm posting comments currently.  This works, but I read
somewhere that I shouldn't inject params right into my sql query,
because it makes it easy for people to hack in and ruin the db.  I'm not
sure if this even makes sense, but I've tried other things, and can't
get anything else to work.

#currently

def comments
    content = Content.find(params[:id])
    @comment = Comment.new(params[:comment])
    content.comments << @comment
    content.save
    if @comment.save then
      @comment_count = Comment.count("content_id=#{params[:id]}")
      render_without_layout
    else
      render :text => "Error"
    end
end

#what i've tried

def comments
...
    if @comment.save then
      @comment_count = Comment.count(:conditions => ["content_id=?",
                                                      #{params[:id]}])
      render_without_layout
    else
...
end

This doesn't work, and I've tried variations thereof (@param[:id],
@params[:id]).

Any ideas?  Or is it even worth worrying about?

Thanks.
Ec30a6fd730b3c7788b59409ed568e7a?d=identicon&s=25 Justin Blake (Guest)
on 2006-03-17 17:03
(Received via mailing list)
Have you tried params[:id] (no #{} and no @)?

That should be what you need to use.

Justin
1e2dd87a31c5d3e07adc9efa375f4dc4?d=identicon&s=25 rh (Guest)
on 2006-03-17 18:28
Justin Blake wrote:
> Have you tried params[:id] (no #{} and no @)?
>
> That should be what you need to use.
>
> Justin

Ok, thanks.  I thought that I tried that, but maybe not.  Also, I should
mention that the '@params[:id]' option didn't give errors, but my Ajax
call never seemed to complete.

I have a 'spinner.gif' image to show while loading, and it never stops,
which tells me that it's never coming back from the call.  If I use the
("content_id=#{params[:id]}") option, it returns from the call.

Does it make any sense to you (or anyone) why the @params[:id] or
params[:id] options would prevent my ajax call from completing?  Is it
something with the way I'm checking for errors (if @comment.save
then...)?

I'm fairly new to Ruby and Rails, so my questions may seem a little
ridiculous.

Also, is it better to use (:conditions => [ "content_id=?", params[:id]
]) instead of ("content_id=#{params[:id]}")???  Are there security
issues there?  Or does it really matter since I'm only getting a count
of the comments, and it's not really inserting or editing anything?

Thanks for any advice/tips/suggestions.
This topic is locked and can not be replied to.