u = Users.new #<ActiveRecord Model>
x = ''3; delete from users'' # user-supplied data, which is
supposed to
be an integer
u.connection.execute("select * from users where id = #{x}") # deletes
ALL records
How would one guard against this SQL injection?
The best way I found so far is to use the quote method as follows:
u.connection.execute("select * from users where id = #{u.quote x}")
Is there a preferred/safer/better way?
-pachl
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---
Users.find(x) On 17/10/06, clintpachl <clintpachl-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > u = Users.new #<ActiveRecord Model> > x = ''3; delete from users'' # user-supplied data, which is supposed to > be an integer > u.connection.execute("select * from users where id = #{x}") # deletes > ALL records > > How would one guard against this SQL injection? > > The best way I found so far is to use the quote method as follows: > > u.connection.execute("select * from users where id = #{u.quote x}") > > Is there a preferred/safer/better way? > > -pachl > > > > >-- http://www.snowblink.co.uk/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
clintpachl <clintpachl@...> writes:> u = Users.new #<ActiveRecord Model> > x = ''3; delete from users'' # user-supplied data, which is supposed to > be an integer > u.connection.execute("select * from users where id = #{x}") # deletes > ALL records > > How would one guard against this SQL injection?In the case of an ID: User.find(supposed_id) otherwise ActiveRecord has a built-in way to escape SQL: User.find(:all, :conditions => ["my_field = ?", supposed_field]) See http://api.rubyonrails.org/classes/ActiveRecord/Base.html for details Gareth --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---