andreo-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org
2013-Apr-12 11:22 UTC
rails named scopes and sql injection
HI guys,
I just came through an example on code of the place I work for that said
something like this could be vulnerable to sql injection attacks:
scope :with_name, lambda { |name| where("LOWER(name) LIKE ?",
name.downcase) }
I wonder if this is true. My thought is that rails should escape this and
that anything that tried to do something different would fail on the
translation to SQL, but does anybody know exactly what happens behind the
curtains?
all the best,
Andre
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J.
For more options, visit https://groups.google.com/groups/opt_out.
On Friday, 12 April 2013 07:22:24 UTC-4, and...-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org wrote:> > HI guys, > > I just came through an example on code of the place I work for that said > something like this could be vulnerable to sql injection attacks: > > scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", > name.downcase) } > > I wonder if this is true. My thought is that rails should escape this and > that anything that tried to do something different would fail on the > translation to SQL, but does anybody know exactly what happens behind the > curtains? > >Everything that''s inserted into placeholders (the ? above) is escaped - so characters like '' will not break the SQL quoting and allow mischief. Modern Rails versions will even use prepared statements to do this, if your DB adapter supports them. Your colleague may have been thinking of the (similar but NOT SECURE) form: scope :with_name_plus_HAX, lambda { |name| where("LOWER(name) LIKE ''#{name}''") } Here the variable is manually interpolated, and will NOT get any escaping. DON''T DO THIS. :) --Matt Jones -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/mCbE2nU5wAgJ. For more options, visit https://groups.google.com/groups/opt_out.
AFAIK, using the array syntax, or the syntax you used in the where IS NOT vulnerable to injection attacks. This matches up with my experience. You can try this out yourself to verify. Julian On 12/04/2013, at 9:22 PM, andreo-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org wrote:> HI guys, > > I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks: > > scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) } > > I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation to SQL, but does anybody know exactly what happens behind the curtains? > > all the best, > > Andre > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.
andreo-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org
2013-Apr-15 09:29 UTC
Re: rails named scopes and sql injection
I just dont have the time right now to try this. just wanted to see if there was any documentation the subject because I couldnt find anything that would tell me otherwise. but thanks for your help guys :) On Friday, 12 April 2013 15:49:42 UTC+2, Julian wrote:> > AFAIK, using the array syntax, or the syntax you used in the where IS NOT > vulnerable to injection attacks. This matches up with my experience. > > You can try this out yourself to verify. > > Julian > > On 12/04/2013, at 9:22 PM, and...-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org <javascript:> wrote: > > HI guys, > > I just came through an example on code of the place I work for that said > something like this could be vulnerable to sql injection attacks: > > scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", > name.downcase) } > > I wonder if this is true. My thought is that rails should escape this and > that anything that tried to do something different would fail on the > translation to SQL, but does anybody know exactly what happens behind the > curtains? > > all the best, > > Andre > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org <javascript:>. > To post to this group, send email to rubyonra...-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<javascript:> > . > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J. > For more options, visit https://groups.google.com/groups/opt_out. > > > > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/VOAgpv4-pCwJ. For more options, visit https://groups.google.com/groups/opt_out.
It''d take less time that replying to this email. You should always teach yourself with micro-experiments where possible IMHO. Julian On 15/04/2013, at 7:29 PM, andreo-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org wrote:> I just dont have the time right now to try this. just wanted to see if there was any documentation the subject because I couldnt find anything that would tell me otherwise. but thanks for your help guys :) > > On Friday, 12 April 2013 15:49:42 UTC+2, Julian wrote: > AFAIK, using the array syntax, or the syntax you used in the where IS NOT vulnerable to injection attacks. This matches up with my experience. > > You can try this out yourself to verify. > > Julian > > On 12/04/2013, at 9:22 PM, and...-FdlSlcb4kYpknbxzx/v8hQ@public.gmane.org wrote: > >> HI guys, >> >> I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks: >> >> scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) } >> >> I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation to SQL, but does anybody know exactly what happens behind the curtains? >> >> all the best, >> >> Andre >> >> -- >> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To post to this group, send email to rubyonra...-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org >> To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/VOAgpv4-pCwJ. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit https://groups.google.com/groups/opt_out.