Hacker Newsnew | comments | show | ask | jobs | submitlogin

> I believe that Rails has no problems with SQL injection? All my database queries are going through ActiveRecord.

Used properly, it's safe, but you can still screw up with ActiveRecord. For example:

    User.where("name = '#{params[:name]}')
That's vulnerable to an SQL injection. You can make it safe, by using something like:

    User.find_by_name(params[:name])
Or if you want to stick with the where clause, one out of many ways of doing it, is:

    User.where(:name => params[:name])



Yeah, I understand your point.

I have never ever used #{} in my code. When I first learned Rails, I know this should be avoided at all cost.

I would prefer

"String 1: " + string1

rather than

"String 1: #{string1}"

-----


Those two examples are _exactly_ the same; it's clear you don't understand the actual problem.

With SQL, you must never, EVER mix untrusted data (ie, data from a user) with your trusted code (ie, SQL statements). The same applies to HTML - never, EVER mix untrusted data with trusted code (ie, HTML tags). If you want to mix the two, you must either:

a) first take steps to make your untrusted data trustworthy - for HTML, use an appropriate HTML scrubbing library to remove dangerous tags (or simply escape every & or <). For SQL, you'd have to escape all metacharacters - but I wouldn't recommend doing this for SQL, see below b) Find a way to transfer the data separately. All modern SQL libraries allow you to specify named variables in your SQL code, then fill in the variables separately. With this, the SQL library takes care of separating the untrusted data and trusted code.

The mechanism used to combine code and data is not the problem - + and #{} are equally harmful if used improperly, and equally harmless if properly escaped .

-----


Sorry for the confusion. I realized that I gave the wrong example.

I should use

["created_at <= ?", @time]

rather than

"created_at <= #{@time}"

This is what I meant actually...

-----


> Yeah, I understand your point.

No, you don't...

-----




Applications are open for YC Summer 2015

Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: