Is find(params[:id]) safe?

Hi,

I'm doing some basic changes related to security like the ones below:

Avoiding mass assignment substituting:
@comment = @tab.comments.build[params[:comment])

With:
@comment.body = params[:comment][:body]

Avoiding SQL injection substituting:
@comment = @tab.comments.find(params[:id])

with:
@comment = @tab.comments.find(:first, :conditions =>["id = ?",
params[:id]])

But I am not sure if @comment = @tab.comments.find(params[:id]) is
already safe against SQL injection. Any one can clarify it?

Thanks

yes, find(params[:id]) is safe from sql injection.

Hi --

Hi,

I'm doing some basic changes related to security like the ones below:

Avoiding mass assignment substituting:
@comment = @tab.comments.build[params[:comment])

With:
@comment.body = params[:comment][:body]

Avoiding SQL injection substituting:
@comment = @tab.comments.find(params[:id])

with:
@comment = @tab.comments.find(:first, :conditions =>["id = ?",
params[:id]])

But I am not sure if @comment = @tab.comments.find(params[:id]) is
already safe against SQL injection. Any one can clarify it?

Let's ask Rails:

class << ActiveRecord::Base
  alias old_sanitize sanitize_sql
  def sanitize_sql(*args,&block)
    puts "Sanitizing #{args}"
    old_sanitize(*args,&block)
  end
end

=> nil

Team.find(1)

Sanitizing "teams"."id" = 1
Sanitizing SELECT * FROM "teams" WHERE ("teams"."id" = 1)

David

comopasta Gr wrote:

But I am not sure if @comment = @tab.comments.find(params[:id]) is
already safe against SQL injection. Any one can clarify it?

How about you inject some SQL hanky-panky and see what happens to it?

(You can also use assert_efficient_sql to reflect the generated SELECT statement, and examine it for the correct escapes around your fishy :id...)

Thank you for the replies!

Cheers.