I'm a bit of a newbie, so I hope this isn't an already-answered question... A URL of the form http://(item)/show/25 shows the 25th "item", but I've just noticed that http://(item)/show/25hello also displays this same item. Q: is this a security concern, e.g. for SQL injection? Also, in the spirit of decreasing the temptation of hackers, is there a way to cause an error to be generated for such URLs, throughout a site?
on 2007-02-22 13:22
on 2007-02-22 15:23
IIRC, when you do a Model.find(param[:id]), the string is converted to an int via to_i. When ruby does the conversion, it grabs the 2, then the 5 and then sees garbage and returns a 25. If you passed a string of just letters, the conversion would fail and you would get an exception. Stephen Gerstacker