11175
July 26, 2008, 8:27pm
1
Hi,
I'm doing some basic changes related to security like the ones below:
Avoiding mass assignment substituting:
@comment = @tab.comments.build [params[:comment])
With:
@comment.body = params[:comment][:body]
Avoiding SQL injection substituting:
@comment = @tab.comments.find (params[:id])
with:
@comment = @tab.comments.find (:first, :conditions =>["id = ?",
params[:id]])
But I am not sure if @comment = @tab.comments.find (params[:id]) is
already safe against SQL injection. Any one can clarify it?
Thanks
yes, find(params[:id]) is safe from sql injection.
Hi --
Hi,
I'm doing some basic changes related to security like the ones below:
Avoiding mass assignment substituting:
@comment = @tab.comments.build [params[:comment])
With:
@comment.body = params[:comment][:body]
Avoiding SQL injection substituting:
@comment = @tab.comments.find (params[:id])
with:
@comment = @tab.comments.find (:first, :conditions =>["id = ?",
params[:id]])
But I am not sure if @comment = @tab.comments.find (params[:id]) is
already safe against SQL injection. Any one can clarify it?
Let's ask Rails:
class << ActiveRecord::Base
alias old_sanitize sanitize_sql
def sanitize_sql(*args,&block)
puts "Sanitizing #{args}"
old_sanitize(*args,&block)
end
end
=> nil
Team.find(1)
Sanitizing "teams"."id" = 1
Sanitizing SELECT * FROM "teams" WHERE ("teams"."id" = 1)
David
Phlip
July 27, 2008, 4:55am
4
comopasta Gr wrote:
But I am not sure if @comment = @tab.comments.find (params[:id]) is
already safe against SQL injection. Any one can clarify it?
How about you inject some SQL hanky-panky and see what happens to it?
(You can also use assert_efficient_sql to reflect the generated SELECT statement, and examine it for the correct escapes around your fishy :id...)
11175
July 27, 2008, 5:30am
5
Thank you for the replies!
Cheers.