Sql injection to create a method in rails controller

Question

Sql injection to create a method in rails controller

As seen from comment_controller.rb:

def create @comment = Comment.new(params[:comment]) @comment.save end

I assume this SQL injection is unsafe. But what is the right way to do this? .. All the examples on the network deal with finds.

+6

sql-injection ruby-on-rails activerecord

udit Jan 27 '10 at 5:32

source share

2 answers

Alex reisner · Answer 1 · 2010-01-27T05:45:52+0000

This code safe from SQL injection attacks. Escaping is done using ActiveRecord, so every time you invoke the find , create , new / save model, or any other database interaction method, you're fine. The only exception is if you use raw SQL for one of the parameters, for example:

 Comment.find(:all, :conditions => "user_id = #{params[:user_id]}")

preferred form:

 Comment.find(:all, :conditions => {:user_id => params[:user_id]})

which will be automatically protected from SQL injection.

John topley · Answer 2 · 2010-01-27T09:52:23+0000

Please note that your sample code is safe from SQL injection, as Alex explained, but it is not protected from bulk exploits .

Sql injection to create a method in rails controller

More articles: