[Rails] SQL Injection Attacks
Curt Sampson
cjs at cynic.net
Thu Dec 2 01:53:24 GMT 2004
On Wed, 1 Dec 2004, Jorge Sousa wrote:
> Why instead of generating inline SQL statements like AR is doing and
> passing them throught the respective adapter to be executed, AR could
> generete SQL statements with parameters....
I don't understand why AR is not doing this now. Let's look at what
happens when you don't do this:
1. You now have code duplication: both the database driver and AR
have quoting code for a particular database.
2. Therefore, you don't get quoting code changes and bug fixes from
the driver.
3. This leads to the potential that the quoting code is different
between the two.
4. This can actually lead to security holes, since the AR quoting
code may improperly miss quoting something and allow SQL injection
attacks.
SQL injection attacks are actually a big fear of mine with rails; I've
not seen any convincing evidence that care has been taken on this
issue, and some evidence (such as this) that it hasn't be sufficiently
examined. I'd hate to see rails get a reputation akin to that of
PHPNuke, which seems to have a weekly SQL injection attack posted to
bugtraq.
Beyond that, there's the issue of ruby's security level, tainting input
variables, and so on, which I've not looked at at all in relation to
rails.
cjs
--
Curt Sampson <cjs at cynic.net> +81 90 7737 2974 http://www.NetBSD.org
Make up enjoying your city life...produced by BIC CAMERA
More information about the Rails
mailing list