text after id in URL (security issue?)

dankelley · February 22, 2007, 12:21pm

I'm a bit of a newbie, so I hope this isn't an already-answered question...

A URL of the form http://(item)/show/25 shows the 25th "item", but I've just noticed that http://(item)/show/25hello also displays this same item.

Q: is this a security concern, e.g. for SQL injection? Also, in the spirit of decreasing the temptation of hackers, is there a way to cause an error to be generated for such URLs, throughout a site?

Stephen_Gerstacker · February 22, 2007, 2:22pm

IIRC, when you do a Model.find(param[:id]), the string is converted to an int via to_i. When ruby does the conversion, it grabs the 2, then the 5 and then sees garbage and returns a 25. If you passed a string of just letters, the conversion would fail and you would get an exception.

Stephen Gerstacker

Topic		Replies	Views
newbie, needs help, can someone explain rubyonrails-talk	7	167	August 15, 2008
URL ID rubyonrails-core	3	131	July 9, 2012
Find id of newly created object rubyonrails-talk	2	141	March 26, 2010
Magic variable: params and :id rubyonrails-talk	1	132	November 28, 2012
bad sql after :conditions => rubyonrails-talk	2	66	January 11, 2009

text after id in URL (security issue?)

Related topics

More Resources