[Rails] SQL Injection Attacks
Michael Koziarski
koziarski at gmail.com
Sat Dec 4 02:00:08 GMT 2004
Another benefit of bind variables is that we can easily use dates in
our finders. There are a couple of factors to correctly quoting a
bound variable:
1) The type of the column
2) The database adapter.
Now 2 is easy, rails can just provide a series of default 'escape_x'
functions which the different adapters can override.
Correct me if I'm wrong but 1 is a little harder here. As
ActiveRecord doesn't appear to parse the SQL provided to it, AR can't
figure out the correct type of the column, it can only work on the
type of the variable provided to it.
Is this a potential security problem? If it's not a safe approach,
we could have JDBC style:
s.setDate(1, theDate);
s.setInteger(2, theInt);
s.setString(3, theString);
but I'd much prefer something simple like:
find(["event_date BETWEEN ? and ?", range.from, range.to]);
I could have a try at implementing this tonight (NZDT) if it seems safe.
On Fri, 3 Dec 2004 18:12:19 -0600, Dave Thomas <dave at pragprog.com> wrote:
>
> On Dec 3, 2004, at 16:21, Bruno Mattarollo wrote:
>
> > I am not really well versed in AR or Rails (nor the database adapters
> > in Ruby) but using "bind variables" is usually the way to avoid SQL
> > injection.
>
> Indeed - that's exactly what I'm recommending.
>
>
>
>
> Cheers
>
> Dave
>
> _______________________________________________
> Rails mailing list
> Rails at lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
--
Cheers
Koz
More information about the Rails
mailing list