Forum: Ruby on Rails sql injection

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
D5145c421cd25af6fa577c15219add90?d=identicon&s=25 unknown (Guest)
on 2006-04-15 17:59
(Received via mailing list)
Hi,
All through my current project, I've been assuming that rails is
clever enough to prevent SQL injections automatically. Is this right?
If not, what's the best way of doing it?
-Nathan
0091f92762685860109bbcb02edfdf27?d=identicon&s=25 Alain Ravet (Guest)
on 2006-04-15 18:05
(Received via mailing list)
Nathan
    >rails ... SQL injections
    > If not, what's the best way of doing it?


Google(rails sql injection)
=> http://manuals.rubyonrails.com/read/chapter/43

Alain
7223c62b7310e164eb79c740188abbda?d=identicon&s=25 Xavier Noria (Guest)
on 2006-04-15 18:14
(Received via mailing list)
On Apr 15, 2006, at 17:57, njmacinnes@gmail.com wrote:

> Hi,
> All through my current project, I've been assuming that rails is
> clever enough to prevent SQL injections automatically. Is this right?
> If not, what's the best way of doing it?

Avoid interpolation of tainted data in SQL fragments:

    # DON'T DO THIS
    user = User.find(:first, :conditions => "id = #{params['id']}")
    # DON'T DO THIS

Instead, use placeholders:

    # SAFE
    user = User.find(:first, :conditions => ['id = ?', params['id']])

or dynamic attribute-based finders (my choice):

    # SAFE
    user = User.find_by_id(params['id'])

-- fxn
59de94a56fd2c198f33d9515d1c05961?d=identicon&s=25 Tom Mornini (Guest)
on 2006-04-15 19:32
(Received via mailing list)
On Apr 15, 2006, at 9:12 AM, Xavier Noria wrote:

>    user = User.find(:first, :conditions => "id = #{params['id']}")
>    user = User.find_by_id(params['id'])
Are you suggesting the standard:

   user = User.find(params['id']) isn't safe?

I'm not 100% certain, but I'm pretty sure you can use the standard
find to find by id without worrying about SQL injection.

--
-- Tom Mornini
7223c62b7310e164eb79c740188abbda?d=identicon&s=25 Xavier Noria (Guest)
on 2006-04-15 20:55
(Received via mailing list)
On Apr 15, 2006, at 19:31, Tom Mornini wrote:

> Are you suggesting the standard:
>
>   user = User.find(params['id']) isn't safe?
>
> I'm not 100% certain, but I'm pretty sure you can use the standard
> find to find by id without worrying about SQL injection.

Oh yes, I wasn't suggesting that.

I was comparing interpolation versus the other standard idioms, but
unfortunately I chose an example for which there exists yet a more
specific idiom (which is safe as well). I'd better used for instance
"login" instead of "id" in my examples.

-- fxn
This topic is locked and can not be replied to.