On 1 Aug 2008, at 15:07, Shandy Nantz wrote:
>
> I have been notified by my boss that a large company that is using my
> app is going to start and try to hack it for vulnerablilities and
> while
> I feel that I have things pretty well secure I just wanted to inquire
> about, first, what is meant when rails says the SQL statements are
> ''sanatized'' when you use
> find(:all, :conditions => [''.....'']), and secondely,
can any one point
sanitized means that the parameters you plug in are escaped so that
(for example)
find :all, :conditions => ["name=?", "bob''; delete *
from users"] is
harmlessly escaped.
You should be safe from sql injection as long as you use :conditions
like this (or the has form of conditions)
If you do this
find :all, :conditions =>
"name=''#{params[:name]}''"
then you''re in trouble.
Fred
>
> me to some good online references that deal with XSS and SQL injection
> attacks. Thanks,
>
> -S
> --
> Posted via http://www.ruby-forum.com/.
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---