Avoiding SQL Injection in :order?

rubyonrails-talk
1

Danny Burkes wrote:

How about calling ActiveRecord#sanitize_sql directly?

-- Posted via http://www.ruby-forum.com/.

My solution to this is to have the params[:sort] point to a key for a hash of predefined sort options.

sort_options = { 'name_up' => 'name ASC, created_at DESC', 'name_down'=>'name DESC, created_at DESC'}

then use

Object.find(:all, :order=>sort_options[params[:sort]])

If the :sort parameter is messed up, it will return the Hash.default.

_Kevin

2

Here is the epilogue - I created this module (comments removed):

def set_sort_method(model)    unless params[:sort_by].nil?      if model.column_names.include?(params[:sort_by])        @sort_by = params[:sort_by]      end      unless session[:sort_by].nil?        if session[:sort_by] == @sort_by          @sort_by += ' desc'        end      end      session[:sort_by] = @sort_by

You might want to do...

session[:sort_by][model]....

here and a couple of lines up to avoid any conflicts arrising from multiple browser windows open to different pages, etc...

3

Personally, I would stick with Kevin's suggestion on "sorting names" and here is why:

1. Chris' solution doesn't allow to handle multiple sort params (e.g. 'company desc, name asc') 2. Kevin's solution IMHO is more flexible and secure. 3. Danny, probably, right but it's not straight forward.

4

Chris Gernon wrote:

Maxim Kulkin wrote: > Personally, I would stick with Kevin's suggestion on "sorting names" and > here is why: > > 1. Chris' solution doesn't allow to handle multiple sort params (e.g. > 'company > desc, name asc') > 2. Kevin's solution IMHO is more flexible and secure.

What would be the best way to implement this? Give each model a class method (called "sort_hash" or something) that returns the hash Kevin describes?

-- Posted via http://www.ruby-forum.com/.

You could do that. I tend to customize the hash for each particular view (or I only ever use it in one), so I just define it right in the view action. In my view, this is part of the 'view' part of MVC, so the model should probably not be aware of it.

_Kevin

5

Personally, I had this "hash" in my controller which should show my corresponding model data. You see, it's not a generic way to order collections (you have :order param already). It's, IMHO, handy way to make sure that no sql injection will occur.