Hi, I''m doing some basic changes related to security like the ones below: Avoiding mass assignment substituting: @comment = @tab.comments.build[params[:comment]) With: @comment.body = params[:comment][:body] Avoiding SQL injection substituting: @comment = @tab.comments.find(params[:id]) with: @comment = @tab.comments.find(:first, :conditions =>["id = ?", params[:id]]) But I am not sure if @comment = @tab.comments.find(params[:id]) is already safe against SQL injection. Any one can clarify it? Thanks -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
yes, find(params[:id]) is safe from sql injection. On Sat, Jul 26, 2008 at 1:27 PM, comopasta Gr < rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Hi, > > I''m doing some basic changes related to security like the ones below: > > Avoiding mass assignment substituting: > @comment = @tab.comments.build[params[:comment]) > > With: > @comment.body = params[:comment][:body] > > > Avoiding SQL injection substituting: > @comment = @tab.comments.find(params[:id]) > > with: > @comment = @tab.comments.find(:first, :conditions =>["id = ?", > params[:id]]) > > > But I am not sure if @comment = @tab.comments.find(params[:id]) is > already safe against SQL injection. Any one can clarify it? > > Thanks > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Hi -- On Sat, 26 Jul 2008, comopasta Gr wrote:> > Hi, > > I''m doing some basic changes related to security like the ones below: > > Avoiding mass assignment substituting: > @comment = @tab.comments.build[params[:comment]) > > With: > @comment.body = params[:comment][:body] > > > Avoiding SQL injection substituting: > @comment = @tab.comments.find(params[:id]) > > with: > @comment = @tab.comments.find(:first, :conditions =>["id = ?", > params[:id]]) > > > But I am not sure if @comment = @tab.comments.find(params[:id]) is > already safe against SQL injection. Any one can clarify it?Let''s ask Rails:>> class << ActiveRecord::Base >> alias old_sanitize sanitize_sql >> def sanitize_sql(*args,&block) >> puts "Sanitizing #{args}" >> old_sanitize(*args,&block) >> end >> end=> nil>> Team.find(1)Sanitizing "teams"."id" = 1 Sanitizing SELECT * FROM "teams" WHERE ("teams"."id" = 1) David -- Rails training from David A. Black and Ruby Power and Light: * Advancing With Rails August 18-21 Edison, NJ * Co-taught by D.A. Black and Erik Kastner See http://www.rubypal.com for details and updates! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
comopasta Gr wrote:> But I am not sure if @comment = @tab.comments.find(params[:id]) is > already safe against SQL injection. Any one can clarify it?How about you inject some SQL hanky-panky and see what happens to it? (You can also use assert_efficient_sql to reflect the generated SELECT statement, and examine it for the correct escapes around your fishy :id...) -- Phlip --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thank you for the replies! Cheers. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---