[Rails] SQL Injection Attacks
David Heinemeier Hansson
david at loudthinking.com
Mon Dec 6 19:49:25 GMT 2004
> The first alternative still appears unsafe to my eyes. Consider, for
> example, the case where
>
> firm_id == "whatever' OR '1' = '1"
>
> The %d alternative provides some safety, but a truly safe binding
> mechanism
> needs awareness of escaping semantics for the target flavour of SQL.
The sanitation that Active Record does on variables when using the []
form prevents this. ;, :, and ' are simple stripped so that it is not
possible to break out of the original quotation. This makes it
impossible to get your own SQL executed.
--
David Heinemeier Hansson,
http://www.basecamphq.com/ -- Web-based Project Management
http://www.rubyonrails.org/ -- Web-application framework for Ruby
http://macromates.com/ -- TextMate: Code and markup editor (OS X)
http://www.loudthinking.com/ -- Broadcasting Brain
More information about the Rails
mailing list