Rails - Oct 2009 - Could someone tell me if the query is secure

I understand that its easy for someone to do all kinds of nasty things
to a database. I am trying to work on security.

Could someone tell me if the following query is structured correctly for
security

#find matching manufacturers
  def self.find_all(manufacturer="")
      find(:all, :order => "name", :conditions => ["name
like ?",
"%#{manufacturer}%"])
  end

Thank you in advance

Mitchell
-- 
Posted via http://www.ruby-forum.com/.

Mitchell Gould wrote:
> 
> 
> I understand that its easy for someone to do all kinds of nasty things
> to a database. I am trying to work on security.
> 
> Could someone tell me if the following query is structured correctly for
> security
> 
> #find matching manufacturers
>   def self.find_all(manufacturer="")
>       find(:all, :order => "name", :conditions =>
["name like ?",
> "%#{manufacturer}%"])
>   end
I believe so.  The only user input is bound to a placeholder symbol 
(''?''), which will mean that a parameterized query will be
used.
Therefore, I don''t think SQL injection is possible, and I
don''t see any
other problems.

By contrast, "name like %#{manufacturer}%" would be insecure.
> 
> Thank you in advance
> 
> Mitchell
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
marnen-sbuyVjPbboAdnm+yROfE0A@public.gmane.org
-- 
Posted via http://www.ruby-forum.com/.

Hi
> By contrast, "name like %#{manufacturer}%" would be insecure.
And I think this too is secure unless manufacture is the direct user 
input from params etc



Sijo
-- 
Posted via http://www.ruby-forum.com/.

Sijo k g wrote:
> Hi
> 
>> By contrast, "name like %#{manufacturer}%" would be insecure.
> 
> And I think this too is secure unless manufacture is the direct user 
> input from params etc
> 
> 
> 
> Sijo
Hey thanks for the feedback. manufacturer is the direct user input.

cheers

Mitch
-- 
Posted via http://www.ruby-forum.com/.