We've been seeing some queries against our Rails website which include the "\000" character in some string params. I don't know if these are malicious or not, but Postgres does not like them at all, and ActiveRecord does not help us by escaping this character. It's easy to repro: $ script/console >> Account.find_by_name("\000") ActiveRecord::StatementInvalid: PGError: ERROR: unterminated quoted string at or near "'" at character 50 : SELECT * FROM accounts WHERE (accounts."login" = '' ) LIMIT 1 It seems that somewhere in the chain, either ActiveRecord or the Postgres connection code should either strip or escape the \000 character. This is pretty difficult problem to google against, but it seems unlikely we're the only ones with this issue. Anyone? We're on Edge Rails revision 4798 and PostgreSQL 8.1.6. Thanks, Robin
on 2007-02-02 20:56
on 2007-02-03 00:01
firstname.lastname@example.org wrote: >>> > > We're on Edge Rails revision 4798 and PostgreSQL 8.1.6. > > Thanks, > Robin > > > > > > not much help but it's known as a "poison null byte" iirc - used for sql injection <runs off to test setup/>
on 2007-02-03 05:22
unfortunately postgresql uses c-strings, and therefore treats binary nulls in a "c way". They could avoid it but haven't done it so far as far as I know....