Could someone tell me if the query is secure

I understand that its easy for someone to do all kinds of nasty things
to a database. I am trying to work on security.

Could someone tell me if the following query is structured correctly for
security

#find matching manufacturers
  def self.find_all(manufacturer="")
      find(:all, :order => "name", :conditions => ["name like ?",
"%#{manufacturer}%"])
  end

Thank you in advance

Mitchell

Mitchell Gould wrote:

I understand that its easy for someone to do all kinds of nasty things
to a database. I am trying to work on security.

Could someone tell me if the following query is structured correctly for
security

#find matching manufacturers
  def self.find_all(manufacturer="")
      find(:all, :order => "name", :conditions => ["name like ?",
"%#{manufacturer}%"])
  end

I believe so. The only user input is bound to a placeholder symbol
('?'), which will mean that a parameterized query will be used.
Therefore, I don't think SQL injection is possible, and I don't see any
other problems.

By contrast, "name like %#{manufacturer}%" would be insecure.

Thank you in advance

Mitchell

Best,

Sijo k g wrote:

Hi

By contrast, "name like %#{manufacturer}%" would be insecure.

And I think this too is secure unless manufacture is the direct user
input from params etc

Sijo

Hey thanks for the feedback. manufacturer is the direct user input.

cheers

Mitch