In my rails apps do I need to do mysql_escape and if so what functions are around to be able to do this? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
paul wrote:> In my rails apps do I need to do mysql_escape and if so what functions > are around to be able to do this?Let Rails take care of all such mundane things for you. Either assign your string, as string data, to a member of an ActiveRecord-derived object, or use your string in a find() using a parameter substitution system, like :conditions => [''foo = ?'', my_foo]. I suspect Rails will either correctly escape things, or will use the underlying Database''s parameterized query system. All you need to do is remember never to put a tainted string directly into a fragment of an SQL statement. Never say, for example, :conditions => "foo = ''#{my_foo}''", because now you are vulnerable to SQL-insertion attacks. Rails cannot help a string with #{} in it, because that expands at Ruby time before Rails sees the string. -- Phlip http://www.greencheese.us/ZeekLand <-- NOT a blog!!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
is possible a sql injection when a model object is saved/created? for example a user which has a nick, is it possible to escape mysql using nick and ''? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
John wrote:> is possible a sql injection when a model object is saved/created? > for example a user which has a nick, is it possible to escape mysql > using nick and ''?I am not sure about the data written to the database on save, but I would be very surprised if it does not sanitize it. Data read back will always be safe as long as you don''t insert strings directly (as Phlip demonstrates). See http://manuals.rubyonrails.com/read/chapter/43. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
yeah that is the problem, I am generating the conditions statment in a string, which could be a security problem, I was wondering if there is a way to manually escape these fields whilst creating the conditions string? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
paul wrote:> yeah that is the problem, I am generating the conditions statment in a > string, which could be a security problem, I was wondering if there is a > way to manually escape these fields whilst creating the conditions > string?:conditions => [" foo = ?", bar] Always use at least the ? notation, This matches the raw database technique of parameterized queries. It escapes. -- Phlip http://c2.com/cgi/wiki?ZeekLand <-- NOT a blog!! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---