What's the most recommended technique for guarding Rails HTTP params?
For example, something like this can obviously be dangerous (e.g. SQL
injection)
user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])
I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I'm
expecting), etc. but I wasn't sure if there are existing
plugins/libraries out there.
I was considering writing something like this:
id = validate_params(params[:id], "string", 10) # 10 being
max_length
What's the most recommended technique for guarding Rails HTTP params?
For example, something like this can obviously be dangerous (e.g. SQL
injection)
user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])
I am about to write a home-grown validation routine to check for string
lengths, data types (e.g. numeric versus string, depending on what I'm
expecting), etc. but I wasn't sure if there are existing
plugins/libraries out there.
I was considering writing something like this:
id = validate_params(params[:id], "string", 10) # 10 being
max_length
ActiveRecord has may validations callbacks such as validate_presence_of,
etc.
It's preferrable to validate data in the models instead of controllers.
What's the most recommended technique for guarding Rails HTTP params?
For example, something like this can obviously be dangerous (e.g. SQL
injection)
user_account = UserAccount.find(:first, :conditions => ["username =
?", params[:id])
If you read the docs, you would know that this sanitizes parameters
precisely to guard against such injection
If you read the docs, you would know that this sanitizes parameters
precisely to guard against such injection
Sorry, guys; my bad. I should have explained that I'm probably least
worried about ActiveRecord.find stuff (even though I threw that example
up) and more worried about params in general (i.e. ones not passed to
ActiveRecord.find) and also worried about
ActiveRecord::Base.connection.select_all, count_by_sql, etc. I do have
methods that accept params for non-ActiveRecord in a couple of places.
I have used many of ActiveRecord's validation callbacks (e.g.
validate_presence_of) but I'll dig deeper into those. However, I'm
looking for a generic, non-ActiveRecord, params validation stuff. If
you know of any, please let me know.
I suspect that you'll need to provide some more specific examples. I
also suspect that you're possibly over thinking things a bit (possibly
due to how you might have approached problems like this in previous
languages/frameworks)
I've actually worked with Rails for 2+ years and published articles
about it, so I hope I'm not over-thinking things
However, we recently began getting very long URLs with invalid
parameters, which is what got me thinking of these
things. This is 10% of the how long the URLs are -- imagine this string
times 10:
That URL is from our log files; I masked our domain name (see below).
We are getting calls made with very long parameters made every couple of
minutes and since they all from Windows NT machines, I suspect it's a
virus that the user might not even be aware of. Anyway, whether it's a
virus or deliberate attempt to crack our systems, I would like to guard
our parameters, so only appropriate size and content is passed in.
