do I need to do mysql_escape_string and how?

Phlip · January 7, 2007, 10:43pm

paul wrote:

In my rails apps do I need to do mysql_escape and if so what functions are around to be able to do this?

Let Rails take care of all such mundane things for you. Either assign your string, as string data, to a member of an ActiveRecord-derived object, or use your string in a find() using a parameter substitution system, like :conditions => ['foo = ?', my_foo].

I suspect Rails will either correctly escape things, or will use the underlying Database's parameterized query system.

All you need to do is remember never to put a tainted string directly into a fragment of an SQL statement. Never say, for example, :conditions => "foo = '#{my_foo}'", because now you are vulnerable to SQL-insertion attacks. Rails cannot help a string with #{} in it, because that expands at Ruby time before Rails sees the string.

Phlip · January 8, 2007, 3:32pm

paul wrote:

yeah that is the problem, I am generating the conditions statment in a string, which could be a security problem, I was wondering if there is a way to manually escape these fields whilst creating the conditions string?

:conditions => [" foo = ?", bar]

Always use at least the ? notation, This matches the raw database technique of parameterized queries. It escapes.

Topic		Replies	Views
Escaping Characters in Queries rubyonrails-talk	2	116	November 24, 2006
Escaping SQL when using connection.execute? rubyonrails-talk	3	154	August 4, 2008
How can I improve a Ruby on Rails code that hast a lot of SQL as strings? rubyonrails-talk	2	167	November 9, 2009
XSS and SQL Injection attacks rubyonrails-talk	1	113	August 1, 2008
How to escape ? in queries rubyonrails-talk	1	142	April 19, 2007

do I need to do mysql_escape_string and how?

Related topics

More Resources