[Rails] SQL Injection Attacks
Jim Weirich
jim at weirichhouse.org
Fri Dec 3 18:24:34 GMT 2004
Dave Thomas said:
> I'd very much like to see Rails move towards
>
> table.find_all([ "id = ?", id] )
>
> and have it use the underlying database to do the substitution.
Ruby DBI handles this by providing tools for the driver writers to use to
handle quoting and parameter binding, even if the underlying database does
not.
The code of interest is in the sql.rb file, modules BasicBind (for
binding) and BasicQuote (for quoting). Driver writer can override or
replace these services if they are not appropriate for their particular
database.
You might not be worried about SQL injection problems, but I attended a
security forum yesterday and saw a demo of SQL injection. By typing "' OR
1=1" into the name field of a login screen, the user was able to log in as
a random user without using a password. Granted, the demo was designed
with this in mind, but it does point out the potential problems if we are
not careful.
--
-- Jim Weirich jim at weirichhouse.org http://onestepback.org
-----------------------------------------------------------------
"Beware of bugs in the above code; I have only proved it correct,
not tried it." -- Donald Knuth (in a memo to Peter van Emde Boas)
More information about the Rails
mailing list