If I call .create on the param structure, are the parameters being passed to the create method automatically sanitized for me? e.g. Journalentry.create(param[:journalentry]) Do I have to worry about any malicious scripting making its way into the creation of the record? Thanks. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 8/22/07, Jim Jones <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > If I call .create on the param structure, are the parameters being > passed to the create method automatically sanitized for me? > > > e.g. Journalentry.create(param[:journalentry]) > > Do I have to worry about any malicious scripting making its way into the > creation of the record?Yes, all values passed to create() are properly quoted for insertion into the database, so you''re protected from SQL injection attacks. However, they are not "sanitized" beyond that, so you need to of course be careful when you send them back to the view to properly escape them. This is obviously not the bailiwick of ActiveRecord... --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Bob Showalter wrote:> Yes, all values passed to create() are properly quoted for insertion > into the database, so you''re protected from SQL injection attacks.I have users created with User.create(params[:form]) and this is secure (in terms of SQL injection), right? So how I should find user by email using find with :conditions? Create method does not escape @ sign, but :conditions => ["email = ?", params[:email]]) does escape, so user@domain (inserted to DB by create method) is something different than user%40domain (queried by find with :conditions). I wonder how properly create :conditions statement. Of course User.find_by_email is secure (escapes '') and finds email since it does not escape @, but how to create more complicated queries with :conditions and be SQL injection safe? Best regards, -- Witold Rugowski http://nhw.pl/wp/ (EN blog) http://FriendsFeedMe.com -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---