The example from the api for has_many looks like:
has_many :subscribers, :class_name => "Person", :finder_sql =>
''SELECT DISTINCT people.* '' +
''FROM people p, post_subscriptions ps '' +
''WHERE ps.post_id = #{id} AND ps.person_id = p.id '' +
''ORDER BY p.first_name''
Notice the interpolation: #{id}
Is this escaped, or is it vulnerable to sql injection? Is there a
syntax that allows something like
WHERE ps.post_id = ?
If so, what is it? My attempts so far don''t work.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
> The example from the api for has_many looks like: > > has_many :subscribers, :class_name => "Person", :finder_sql => > ''SELECT DISTINCT people.* '' + > ''FROM people p, post_subscriptions ps '' + > ''WHERE ps.post_id = #{id} AND ps.person_id = p.id '' + > ''ORDER BY p.first_name'' > > Notice the interpolation: #{id} > > Is this escaped, or is it vulnerable to sql injection? Is there a > syntax that allows something like > WHERE ps.post_id = ? > If so, what is it? My attempts so far don''t work.Don''t know, but at a minimum you could change it to #{id.to_i} to force it to return an integer value... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Rick Schumeyer wrote:> Notice the interpolation: #{id} > > Is this escaped, or is it vulnerable to sql injection?It''s vulnerable to sql injection if the value of ''id'' could be provided (i.e. corrupted) by the user.> Is there a syntax that allows something like > WHERE ps.post_id = ?Agile Web Development with Rails includes the following example (p306): Order.find_by_sql(["select * from orders where amount > ?", params[:amount]]) Nat -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---