Does anyone have a suggestion for a good method to Sanitize user input before it is used by a controller? I am aware of the sanitize method, but it is part of ActionView and not available to my controllers. This seems like a basic security protocol but I can''t seem to find a good method. Thanks! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mindtonic wrote:> Does anyone have a suggestion for a good method to Sanitize user input > before it is used by a controller? I am aware of the sanitize method, > but it is part of ActionView and not available to my controllers. > This seems like a basic security protocol but I can''t seem to find a > good method. Thanks!depends what you want to sanitize. ActionView is sanitizing javascript, and html entities. ActiveRecord has methods to sanitize SQL input, to prevent injection. work out what you want to sanitize and stick it in application.rb "before_filter :sanitize_params" -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
In this case I am wanting to sanitize search queries. But I also would like a safety net for all user generated content. sanitize_params is a method of my own design? I am hoping to find a framework to adapt as I am not aware of every possible thing, and I know there are folks out there who have covered this problem. Any suggestions? On Sep 18, 11:10 am, Matthew Rudy <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Mindtonic wrote: > > Does anyone have a suggestion for a good method to Sanitize user input > > before it is used by a controller? I am aware of the sanitize method, > > but it is part of ActionView and not available to my controllers. > > This seems like a basic security protocol but I can''t seem to find a > > good method. Thanks! > > depends what you want to sanitize. > > ActionView is sanitizing javascript, and html entities. > ActiveRecord has methods to sanitize SQL input, to prevent injection. > > work out what you want to sanitize > and stick it in application.rb "before_filter :sanitize_params" > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mindtonic wrote:> In this case I am wanting to sanitize search queries. But I also > would like a safety net for all user generated content. > > sanitize_params is a method of my own design? I am hoping to find a > framework to adapt as I am not aware of every possible thing, and I > know there are folks out there who have covered this problem. > > Any suggestions? > > On Sep 18, 11:10 am, Matthew Rudy <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>well... let''s take a look at how you might implement one of these "search queries" Model.find(:all, :conditions => ["text LIKE ?", params[:string]]) ActiveRecord then goes and runs "sanitize_sql_array" on the supplied array, inserting the params in place of the "?" while ensuring that they''re quoted safely. Is that what you mean? the general rule is always use the "?" replacement method with your ActiveRecord finds. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 9/18/07, Mindtonic <mindtonic-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Does anyone have a suggestion for a good method to Sanitize user input > before it is used by a controller? I am aware of the sanitize method, > but it is part of ActionView and not available to my controllers. > This seems like a basic security protocol but I can''t seem to find a > good method. Thanks!There''s not a general-purpose solution here. Different uses of data require different techniques. For example: * passing to a query * sending to a view * sending an email * executing a shell command * using Ruby''s eval() method There is no one way to "sanitize" data for all of these situations. You have to apply the appropriate techniques to the appropriate uses. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---