[Rails] SQL Injection Attacks
Steve Purcell
rails at pythonconsulting.com
Mon Dec 6 19:20:38 GMT 2004
On Monday 06 December 2004 16:44, David Heinemeier Hansson wrote:
> So here are two safe alternatives:
>
> Person.find_first(["firm_id = '%s'", firm_id ])
> Person.find_first(["firm_id = %d", firm_id ])
The first alternative still appears unsafe to my eyes. Consider, for
example, the case where
firm_id == "whatever' OR '1' = '1"
The %d alternative provides some safety, but a truly safe binding mechanism
needs awareness of escaping semantics for the target flavour of SQL.
Best wishes to all,
-Steve
More information about the Rails
mailing list