I understand that its easy for someone to do all kinds of nasty things to a database. I am trying to work on security. Could someone tell me if the following query is structured correctly for security #find matching manufacturers def self.find_all(manufacturer="") find(:all, :order => "name", :conditions => ["name like ?", "%#{manufacturer}%"]) end Thank you in advance Mitchell -- Posted via http://www.ruby-forum.com/.
Marnen Laibow-Koser
2009-Oct-29 03:47 UTC
Re: Could someone tell me if the query is secure
Mitchell Gould wrote:> > > I understand that its easy for someone to do all kinds of nasty things > to a database. I am trying to work on security. > > Could someone tell me if the following query is structured correctly for > security > > #find matching manufacturers > def self.find_all(manufacturer="") > find(:all, :order => "name", :conditions => ["name like ?", > "%#{manufacturer}%"]) > endI believe so. The only user input is bound to a placeholder symbol (''?''), which will mean that a parameterized query will be used. Therefore, I don''t think SQL injection is possible, and I don''t see any other problems. By contrast, "name like %#{manufacturer}%" would be insecure.> > Thank you in advance > > MitchellBest, -- Marnen Laibow-Koser http://www.marnen.org marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org -- Posted via http://www.ruby-forum.com/.
Hi> By contrast, "name like %#{manufacturer}%" would be insecure.And I think this too is secure unless manufacture is the direct user input from params etc Sijo -- Posted via http://www.ruby-forum.com/.
Sijo k g wrote:> Hi > >> By contrast, "name like %#{manufacturer}%" would be insecure. > > And I think this too is secure unless manufacture is the direct user > input from params etc > > > > SijoHey thanks for the feedback. manufacturer is the direct user input. cheers Mitch -- Posted via http://www.ruby-forum.com/.