Do I need to do mysql_escape_string and how?

paul · January 7, 2007, 11:20pm

In my rails apps do I need to do mysql_escape and if so what functions
are around to be able to do this?

paul · January 7, 2007, 11:57pm

is possible a sql injection when a model object is saved/created?
for example a user which has a nick, is it possible to escape mysql
using nick and '?

paul · January 7, 2007, 11:50pm

paul wrote:

In my rails apps do I need to do mysql_escape and if so what functions
are around to be able to do this?

Let Rails take care of all such mundane things for you. Either assign
your
string, as string data, to a member of an ActiveRecord-derived object,
or
use your string in a find() using a parameter substitution system, like
:conditions => [‘foo = ?’, my_foo].

I suspect Rails will either correctly escape things, or will use the
underlying Database’s parameterized query system.

All you need to do is remember never to put a tainted string directly
into a
fragment of an SQL statement. Never say, for example, :conditions =>
“foo =
‘#{my_foo}’”, because now you are vulnerable to SQL-insertion attacks.
Rails
cannot help a string with #{} in it, because that expands at Ruby time
before Rails sees the string.

–
Phlip
Redirecting... ← NOT a blog!!!

paul · January 8, 2007, 4:05pm

yeah that is the problem, I am generating the conditions statment in a
string, which could be a security problem, I was wondering if there is a
way to manually escape these fields whilst creating the conditions
string?

paul · January 8, 2007, 1:12am

John wrote:

is possible a sql injection when a model object is saved/created?
for example a user which has a nick, is it possible to escape mysql
using nick and '?

I am not sure about the data written to the database on save, but I
would be very surprised if it does not sanitize it.

Data read back will always be safe as long as you don’t insert strings
directly (as Phlip demonstrates). See
Peak Obsession.

paul · January 8, 2007, 4:46pm

paul wrote:

yeah that is the problem, I am generating the conditions statment in a
string, which could be a security problem, I was wondering if there is a
way to manually escape these fields whilst creating the conditions
string?

:conditions => [" foo = ?", bar]

Always use at least the ? notation, This matches the raw database
technique of parameterized queries. It escapes.

–
Phlip
http://c2.com/cgi/wiki?ZeekLand ← NOT a blog!!