[Rails] SQL Injection Attacks
Steve Purcell
rails at pythonconsulting.com
Mon Dec 6 19:55:22 GMT 2004
On Monday 06 December 2004 19:49, David Heinemeier Hansson wrote:
> > firm_id == "whatever' OR '1' = '1"
>
> The sanitation that Active Record does on variables when using the []
> form prevents this. ;, :, and ' are simple stripped so that it is not
> possible to break out of the original quotation. This makes it
> impossible to get your own SQL executed.
Aha; I wasn't aware of the munging step.
-Steve
More information about the Rails
mailing list