Displaying 1 result from an estimated 1 matches for "allowed_columns".
2007 Oct 15
6
SQL injection with :order, :limit, :group
I know how to avoid SQL injection attacks when you use :conditions
User.find :first, :conditions => ["login=?", params[:username]]
but how about with :order, :limit or :group?
# uh-oh...spaghetti-oh
User.find :first, :order => "login; delete from users; select * from users"
Pat
--~--~---------~--~----~------------~-------~--~----~
You received this message because you