IIRC, when you do a Model.find(param[:id]), the string is converted to an
int via to_i. When ruby does the conversion, it grabs the 2, then the 5 and
then sees garbage and returns a 25. If you passed a string of just letters,
the conversion would fail and you would get an exception.
Stephen Gerstacker
-----Original Message-----
From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
[mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf Of
dankelley
Sent: Thursday, February 22, 2007 07:21
To: Ruby on Rails: Talk
Subject: [Rails] text after id in URL (security issue?)
I''m a bit of a newbie, so I hope this isn''t an
already-answered
question...
A URL of the form
http://(item)/show/25
shows the 25th "item", but I''ve just noticed that
http://(item)/show/25hello
also displays this same item.
Q: is this a security concern, e.g. for SQL injection? Also, in the
spirit of decreasing the temptation of hackers, is there a way to
cause an error to be generated for such URLs, throughout a site?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---