search for: sanitize_sql

...multi-byte vulnerability, and if so how? -- -Alder [1] http://www.postgresql.org/about/news.561 [2] http://www.postgresql.org/docs/techdocs.48 [3] ["name=''%s'' and group_id=''%s''", "foo''bar", 4] which I gathered work through AR::Base.sanitize_sql

...ags_join_model ? tags_join_model.table_name : tags_join_table sql = "SELECT #{t}.#{t_pk} AS id, #{t}.name AS name, COUNT(*) AS count FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} = #{t}.#{t_pk} AND #{jt}.#{o_fk} = #{o}.#{o_pk}" sql << " AND #{sanitize_sql(options[:conditions])}" if options[:conditions] sql << " GROUP BY #{t}.name" sql << " HAVING count #{options[:count]} " if options[:count] sql << " ORDER BY #{options[:order]} " if options[:order] add_limi...

Hi guys, Is there an elegant way to capture the sql that would have been executed by an ActiveRecord statement, without actually executing it? :) I''m imagining something like sql = User.find(1).groups.to_sql or perhaps sql = ActiveRecord::Base.capture_sql { User.find(1).groups } resulting in sql = ''SELECT * FROM groups INNER JOIN memberships.... WHERE users.id =

..._zipcodes.each {|z| zips_clause += '','' if !zips_clause.blank? zips_clause += ''\'''' + z + ''\'''' # wrap string in single-quotes } zips_clause = ''('' + zips_clause + '')'' conditions = sanitize_sql(["updated_at > ? AND local_code IN ?", since_date, zips_clause]) This is the resulting SQL: SELECT * FROM tips WHERE (updated_at > ''2008-03-14 11:55:29'' AND local_code IN ''(\''94952\'',\''08054\'',\''11111\'...

This thread references: http://www.ruby-forum.com/topic/90258#new http://www.ruby-forum.com/topic/82349#143790 ActiveRecord''s find() method has built in ways to avoid SQL injection by using the format > :conditions => [ "user_name = ?", user_name] Is there any such system for escaping injection in :order? It seems to only take a string and feed it to the SQL

...looks like a bug in this code from the method tags_count: sql = "SELECT #{t}.#{t_pk} AS id, #{t}.name AS name, COUNT (*) AS count FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} = #{t}.#{t_pk} AND #{jt}.#{o_fk} = #{o}.#{o_pk}" sql << " AND #{sanitize_sql(options[:conditions])}" if options[:condit ions] sql << " GROUP BY #{t}.name" My database (PostgreSQL 8) laments that the ''tags.id'' column should be in the "GROUP BY" clause, which seems reasonable to me. The last line should be:...

...by/gems/1.8/gems/activerecord-1.9.0/lib/active_record/base.rb:841:in `gsub'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.9.0/lib/active_record/base.rb:841:in `replace_bind_variables'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.9.0/lib/active_record/base.rb:830:in `sanitize_sql'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.9.0/lib/active_record/base.rb:732:in `add_conditions!'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.9.0/lib/active_record/base.rb:356:in `find_all'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.9.0/lib/a...

...IN (''don''t'')", I know that''s bad, but all the code is the *same* so why isn''t it being quoted properly?? I''ve trolled down into active_record/base.rb and the call tree: (dive in yourself if you prefer...) find_by_sql(sql) sanitize_sql(sql) statement, *values = sql replace_bind_variables(statement, values) bound = values.dup statement.gsub(''?'') { quote_bound_value(bound.shift) } if (value.respond_to? (:map) &a...

Hi all I have the following models: class member has_and_belongs_to_many :disc_jockeys end class disc_jockey has_and_belongs_to_many :members end The relation table is called disc_jockeys_members and has the following fields: disc_jockeys_members(disc_jockey_id, member_id, status) So far, the field status can have values like valid, invalid, locked etc., but it is not regarded yet by

...activerecord-1.14.2/lib/active_record/base.rb :1287:in `replace_bind_variables'' C:/Ruby/lib/ruby/gems/1.8/gems/activerecord-1.14.2/lib/active_record/base.rb :1287:in `replace_bind_variables'' C:/Ruby/lib/ruby/gems/1.8/gems/activerecord-1.14.2/lib/active_record/base.rb :1276:in `sanitize_sql'' C:/Ruby/lib/ruby/gems/1.8/gems/activerecord-1.14.2/lib/active_record/base.rb :1062:in `add_conditions!'' C:/Ruby/lib/ruby/gems/1.8/gems/activerecord-1.14.2/lib/active_record/base.rb :1012:in `construct_finder_sql'' C:/Ruby/lib/ruby/gems/1.8/gems/activerecord-1.14.2/l...

.../activerecord-2.3.4/lib/ active_record/base.rb:2352:in `gsub'' from /usr/lib64/ruby/gems/1.8/gems/activerecord-2.3.4/lib/ active_record/base.rb:2352:in `replace_bind_variables'' from /usr/lib64/ruby/gems/1.8/gems/activerecord-2.3.4/lib/ active_record/base.rb:2320:in `sanitize_sql_hash_for_conditions'' from /usr/lib64/ruby/gems/1.8/gems/activerecord-2.3.4/lib/ active_record/base.rb:2231:in `sanitize_sql'' from /usr/lib64/ruby/gems/1.8/gems/activerecord-2.3.4/lib/ active_record/base.rb:2006:in `expand_id_conditions'' from /usr/l...

...COUNT(DISTINCT #{o}.#{o_pk}) FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} = #{t}.#{t_pk} AND (#{t}.name = ''#{tag_names.join("'' OR #{t}.name=''")}'') AND #{o}.#{o_pk} = #{jt}.#{o_fk}" sql << " AND #{sanitize_sql(options[:conditions])}" if options[:conditions] count_by_sql(sql) end</pre> -- Posted via http://www.ruby-forum.com/.

Hi, I want to share some helpful code snippet. Can it further be optimized? Or is this even good to do? Put this in your model to write a customized find method having more conditions: def self.find_active(*args) options = extract_options_from_args!(args) conditions = "AND (#{sanitize_sql(options[:conditions])})" if options[:conditions] options[:conditions] = "ADDITIONAL_CONDITIONS_GO_HERE #{conditions}" args << options find(*args) end regards, Helmut

...Not likely to be noticed in a small scale app that''s just got a handful of queries or DML per request. But our site provides an API through which folks manage hundreds of thousands of database rows, so this adds up quickly. Looks like I''d need to replace the call to AR::Base#sanitize_sql, which currently does the condition substitution, and let the OCI connection handle that instead. So, has anyone looked at this idea? Does a similar concept apply with other dbs? ----- MY TEST APP ------ require ''oci8'' require ''benchmark'' conn = OCI8.new...

I''ve programmatically built an array suitable for ActiveRecord::Base.find()s :conditions parameter. However, I''m also doing a find_by_sql on the same model and I want to generate the relevant WHERE clause. Does Activerecord have an easy way to do this? I can''t see anything immediately in the docs Thanks, Gareth --~--~---------~--~----~------------~-------~--~----~

I see some possible issues with the SQL that is being generated by the firebird adapter. Every SQL is being generated on the fly by concatenating strings. Can someone please explain why the SQL is being generated the way it is? I cannot use this in real life for a couple of reasons: 1. This introduces a security hole because a user, accidentally or deliberately, could potentially submit a

...rd-1.13.2/lib/active_record/base .rb:1133:in `replace_bind_variables'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.13.2/lib/active_record/base .rb:1133:in `replace_bind_variables'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.13.2/lib/active_record/base .rb:1122:in `sanitize_sql'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.13.2/lib/active_record/base .rb:942:in `add_conditions!'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.13.2/lib/active_record/base .rb:921:in `construct_finder_sql'' /usr/local/lib/ruby/gems/1.8/gems/activere...

...ruby/gems/1.8/gems/activerecord-1.15.3/lib/active_record/base.rb:1427:in `gsub'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.15.3/lib/active_record/base.rb:1427:in `replace_bind_variables'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.15.3/lib/active_record/base.rb:1416:in `sanitize_sql_array'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.15.3/lib/active_record/base.rb:1387:in `sanitize_sql'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.15.3/lib/active_record/base.rb:1163:in `add_conditions!'' /usr/local/lib/ruby/gems/1.8/gems/activerecord-1.15.3/li...

I have a "search" action for my "projects" controller, which defines a set of projects as follows @projects = Project.find(:all, :include => [:user,:clients], :conditions => "name like ''%" + params[:query] + "%''",:order => ''number'') This works fine, until I type an entry into my search box that has a single

Hi! I got a class named EinsatzFilter which I serialized to session. Before saving to session it works afterwards I keep getting the message: "undefined method `to_s'' for #<Person:0x38c6ab8>". "Person" is a from ActiveRecord::Base inherited class. Code: class EinsatzFilter include ApplicationHelper attr_reader :personen, :monat, :projekte, :kunde