@client = Client.find(params[:id]) I use the above line in alot of scripts because it is shown this way in the Rails book. Is this safe. Does it use placeholders? Will it leave me open to an SQL injection attack? -- Posted via http://www.ruby-forum.com/.
You''re safe with any of the automatically generated find methods. The only time you need to worry is when you''re using any SQL, such as when you call find_by_sql, or you pass :conditions. Refer to pp 213-214 of the Rails book for more info, and I''m sure the API docs covers it as well. On 1/26/06, charlie bowman <cbowmanschool@yahoo.com> wrote:> > > @client = Client.find(params[:id]) > > I use the above line in alot of scripts because it is shown this way in > the Rails book. Is this safe. Does it use placeholders? Will it leave > me open to an SQL injection attack? > > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
it depends what you are trying to do. For example if you are doing a messaging page you probably want to do something along the lines of @message = Message.find(@params[:id], :conditions => ["user_id ?",@session[:user_id]]) to prevent just any person from going to http://yoursite.com/message/show/30 However if you have a shopping site, then you would obviously want anybody to see the product with your find. So it depends on the app and if you need to add some additional logic to the find. All in all though find(@params[:id]) should be safe generally speaking. adam On 1/26/06, charlie bowman <cbowmanschool@yahoo.com> wrote:> > > @client = Client.find(params[:id]) > > I use the above line in alot of scripts because it is shown this way in > the Rails book. Is this safe. Does it use placeholders? Will it leave > me open to an SQL injection attack? > > > -- > Posted via http://www.ruby-forum.com/. > _______________________________________________ > Rails mailing list > Rails@lists.rubyonrails.org > http://lists.rubyonrails.org/mailman/listinfo/rails >
On 1/26/06, Adam Denenberg <straightflush@gmail.com> wrote:> it depends what you are trying to do. For example if you are doing a > messaging page you probably want to do something along the lines of > > @message = Message.find(@params[:id], :conditions => ["user_id > ?",@session[:user_id]]) > > to prevent just any person from going to http://yoursite.com/message/show/30I prefer to do @message = session[:user].messages.find(params[:id]) That ends up generating the same exact SQL obviously, but I think it''s a good habit to take advantage of the rich model whenever possible. I find I generally think more clearly, leading to better code, and I get the benefit of somewhat hidden security features.> > However if you have a shopping site, then you would obviously want > anybody to see the product with your find. So it depends on the app > and if you need to add some additional logic to the find. > > All in all though find(@params[:id]) should be safe generally speaking.Sounded to me like he was simply asking about SQL injection type stuff, in which case it''s perfectly safe.
Yes, I was just wondering about sql injection. Thanks for the info!> Sounded to me like he was simply asking about SQL injection type > stuff, in which case it''s perfectly safe.-- Posted via http://www.ruby-forum.com/.