Forum: Ruby on Rails ActiveRecord + Postgres + \000 = BOOM

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
B19cc9ca0d94204f4cb5ab3a0d46d444?d=identicon&s=25 Robin Luckey (robinluckey)
on 2007-02-02 20:56
(Received via mailing list)
We've been seeing some queries against our Rails website which include
the "\000" character in some string params. I don't know if these are
malicious or not, but Postgres does not like them at all, and
ActiveRecord does not help us by escaping this character.

It's easy to repro:

$ script/console
>> Account.find_by_name("\000")
ActiveRecord::StatementInvalid: PGError: ERROR:  unterminated quoted
string at or near "'" at character 50
: SELECT * FROM accounts WHERE (accounts."login" = '' )  LIMIT 1

It seems that somewhere in the chain, either ActiveRecord or the
Postgres connection code should either strip or escape the \000

This is pretty difficult problem to google against, but it seems
unlikely we're the only ones with this issue. Anyone?

We're on Edge Rails revision 4798 and PostgreSQL 8.1.6.

5498d1507784752a878d7cf33be13f6a?d=identicon&s=25 Scott Mathieson (uberkorp)
on 2007-02-03 00:01
(Received via mailing list) wrote:
> We're on Edge Rails revision 4798 and PostgreSQL 8.1.6.
> Thanks,
> Robin
> >
not much help but it's known as a "poison null byte" iirc - used for sql
<runs off to test setup/>
1a161d16b292cbacee7b4563bd0c72e8?d=identicon&s=25 Alon Goldshuv (alon)
on 2007-02-03 05:22
unfortunately postgresql uses c-strings, and therefore treats binary
nulls in a "c way". They could avoid it but haven't done it so far as
far as I know....
This topic is locked and can not be replied to.