Rails - Apr 2006 - sql injection

Hi,
All through my current project, I''ve been assuming that rails is
clever enough to prevent SQL injections automatically. Is this right?
If not, what''s the best way of doing it?
-Nathan

Nathan
    >rails ... SQL injections
    > If not, what''s the best way of doing it?


Google(rails sql injection)
=> http://manuals.rubyonrails.com/read/chapter/43

Alain

On Apr 15, 2006, at 17:57, njmacinnes@gmail.com wrote:
> Hi,
> All through my current project, I''ve been assuming that rails is
> clever enough to prevent SQL injections automatically. Is this right?
> If not, what''s the best way of doing it?
Avoid interpolation of tainted data in SQL fragments:

    # DON''T DO THIS
    user = User.find(:first, :conditions => "id =
#{params[''id'']}")
    # DON''T DO THIS

Instead, use placeholders:

    # SAFE
    user = User.find(:first, :conditions => [''id = ?'',
params[''id'']])

or dynamic attribute-based finders (my choice):

    # SAFE
    user = User.find_by_id(params[''id''])

-- fxn

On Apr 15, 2006, at 9:12 AM, Xavier Noria wrote:
> On Apr 15, 2006, at 17:57, njmacinnes@gmail.com wrote:
>
>> Hi,
>> All through my current project, I''ve been assuming that rails
is
>> clever enough to prevent SQL injections automatically. Is this right?
>> If not, what''s the best way of doing it?
>
> Avoid interpolation of tainted data in SQL fragments:
>
>    # DON''T DO THIS
>    user = User.find(:first, :conditions => "id =
#{params[''id'']}")
>    # DON''T DO THIS
>
> Instead, use placeholders:
>
>    # SAFE
>    user = User.find(:first, :conditions => [''id = ?'',
params[''id'']])
>
> or dynamic attribute-based finders (my choice):
>
>    # SAFE
>    user = User.find_by_id(params[''id''])
Are you suggesting the standard:

   user = User.find(params[''id'']) isn''t safe?

I''m not 100% certain, but I''m pretty sure you can use the
standard
find to find by id without worrying about SQL injection.

-- 
-- Tom Mornini

On Apr 15, 2006, at 19:31, Tom Mornini wrote:
> Are you suggesting the standard:
>
>   user = User.find(params[''id'']) isn''t safe?
>
> I''m not 100% certain, but I''m pretty sure you can use the
standard
> find to find by id without worrying about SQL injection.
Oh yes, I wasn''t suggesting that.

I was comparing interpolation versus the other standard idioms, but  
unfortunately I chose an example for which there exists yet a more  
specific idiom (which is safe as well). I''d better used for instance  
"login" instead of "id" in my examples.

-- fxn