I understand that its easy for someone to do all kinds of nasty things to a database. I am trying to work on security.
Could someone tell me if the following query is structured correctly for security
#find matching manufacturers def self.find_all(manufacturer="") find(:all, :order => "name", :conditions => ["name like ?", "%#{manufacturer}%"]) end
Thank you in advance
Mitchell
Mitchell Gould wrote:
I understand that its easy for someone to do all kinds of nasty things to a database. I am trying to work on security.
Could someone tell me if the following query is structured correctly for security
#find matching manufacturers def self.find_all(manufacturer="") find(:all, :order => "name", :conditions => ["name like ?", "%#{manufacturer}%"]) end
I believe so. The only user input is bound to a placeholder symbol ('?'), which will mean that a parameterized query will be used. Therefore, I don't think SQL injection is possible, and I don't see any other problems.
By contrast, "name like %#{manufacturer}%" would be insecure.
Thank you in advance
Mitchell
Best,
Sijo k g wrote:
Hi
By contrast, "name like %#{manufacturer}%" would be insecure.
And I think this too is secure unless manufacture is the direct user input from params etc
Sijo
Hey thanks for the feedback. manufacturer is the direct user input.
cheers
Mitch
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks