[Rails] SQL Injection Attacks
Jim Weirich
jweirich at one.net
Sat Dec 4 03:21:15 GMT 2004
On Friday 03 December 2004 09:00 pm, Michael Koziarski wrote:
> Another benefit of bind variables is that we can easily use dates in
> our finders. There are a couple of factors to correctly quoting a
> bound variable:
>
> 1) The type of the column
> 2) The database adapter.
>
> Now 2 is easy, rails can just provide a series of default 'escape_x'
> functions which the different adapters can override.
>
> Correct me if I'm wrong but 1 is a little harder here. As
> ActiveRecord doesn't appear to parse the SQL provided to it, AR can't
> figure out the correct type of the column, it can only work on the
> type of the variable provided to it.
>
> Is this a potential security problem? If it's not a safe approach,
> we could have JDBC style:
>
> s.setDate(1, theDate);
> s.setInteger(2, theInt);
> s.setString(3, theString);
>
> but I'd much prefer something simple like:
>
> find(["event_date BETWEEN ? and ?", range.from, range.to]);
The Ruby DBI library provides standard binding and quoting functions for the
use of its drivers (which can override for specific behavior). You can find
the code in the sql.rb file in the DBI distribution. Look for BasicQuote and
BasicBind.
(I tried to respond earlier today, but it looks like my outgoing mail is
having problems)
--
-- Jim Weirich jim at weirichhouse.org http://onestepback.org
-----------------------------------------------------------------
"Beware of bugs in the above code; I have only proved it correct,
not tried it." -- Donald Knuth (in a memo to Peter van Emde Boas)
More information about the Rails
mailing list