Mike Laurence
2008-Jan-01 00:27 UTC
Easiest defense against SQL injection in object creation?
I''ve been scouring the web for suggested Rails defenses against SQL injection, but I haven''t found much on the object creation part. Certainly using attr_protected, etc., is a good way to prevent unwanted fields from being modified on the new object (if you''re passing a hash as creation parameters), but what about escaping the POSTed info before saving? Couldn''t you POST some SQL injector evilness into an ''allowed'' field and terminate the INSERT and maybe run some DELETES, etc.? Are people who pass the whole params hash setting themselves up for SQL armageddon? Let me know if I''ve got it all wrong. And if there are built-in (or otherwise easy) ways to deal with *all* such potential threats, that would be good to know, too. :-) Thanks, Mike -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Check this link http://manuals.rubyonrails.com/read/chapter/43 Active Record takes care of most things for you. Hope this helps, Cam On Jan 1, 11:27 am, Mike Laurence <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I''ve been scouring the web for suggested Rails defenses against SQL > injection, but I haven''t found much on the object creation part. > Certainly using attr_protected, etc., is a good way to prevent unwanted > fields from being modified on the new object (if you''re passing a hash > as creation parameters), but what about escaping the POSTed info before > saving? Couldn''t you POST some SQL injector evilness into an ''allowed'' > field and terminate the INSERT and maybe run some DELETES, etc.? Are > people who pass the whole params hash setting themselves up for SQL > armageddon? > > Let me know if I''ve got it all wrong. And if there are built-in (or > otherwise easy) ways to deal with *all* such potential threats, that > would be good to know, too. :-) > > Thanks, > Mike > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mike Laurence
2008-Jan-01 00:59 UTC
Re: Easiest defense against SQL injection in object creation
cammo wrote:> Check this link > http://manuals.rubyonrails.com/read/chapter/43 > > Active Record takes care of most things for you. > > Hope this helps, > Cam > > On Jan 1, 11:27�am, Mike Laurence <rails-mailing-l...-ARtvInVfO7m5VldFQK4jKA@public.gmane.orgt>Ah. I missed the ''attributes are okay'' part last time I read through. :-) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---