|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Be the architects of evolution and help create the mobile internet future. It’s your move---enter to win here! |
|
#1
December 28th, 2007, 09:32 AM
|
|||
|
|||
|
SQL Injection and Ruby
I searched a lot in the internet about SQL Injection + Ruby
But I never found an article that can explain me something clearly. I know that the following approach will help reduce SQL Injection attacks. User.find(:first, :conditions => ["login = ? AND password = ?", params[:name], params[  assword]])I found a page in where someone says that the parameters will be somewhat "sanitized". The question is: What he mean by sanitized, in which way the parameters are going to be filtered?
|
|
#2
December 28th, 2007, 06:43 PM
|
||||
|
||||
|
You need to first understand what SQL injection is all about. The concept works like this:
Assume you're building a SQL statement by hand: Code:
sql = "select * from table where param = '#{params[:foo]}' "
(or) Code:
User.find(:first, :conditions => ["login = #{params[:name]} AND password = #{params[:password]}" )
The problem with this approach is that someone can pass a ' in the parameter and break your code. For instance, if I pass "Tim O' Reilly" in there, the SQL will break because of the quote. (i.e.) it will transform to: Code:
select * from table where param = 'Tim O' Reilly' I won't specify how you can misuse this to cause evil here, but you may be able to figure out for yourself. Regardless, the problem is caused here because we put the parameter into the SQL string directly. The solution is to write some code to properly format the SQL string. For instance: Code:
sql = "select * from table where param = '" + fix_quotes(params[:foo]) + "' " where fix_quotes is some function that you wrote yourself to format the quotes. After this function runs, the string comes out looking like this: Code:
select * from table where param = 'Tim O\' Reilly' or some such. The problem with rolling your own functions is: 1. You need to write the code to do this: 2. You don't know if you've covered all the special characters or not. For instance, I could pass \ in my params and your SQL would break again. Ruby gives you an alternative to these problems: Code:
User.find(:first, :conditions => ["login = ? AND password = ?", params[:name], params[:password]]) In this case, the SQL is not built directly. Instead, the parameter places are marked with ?. When rails sees this, it will replace the ? with the proper argument and automatically fix them so that special characters don't break the SQL. You can rely on rails doing it all for you and doing it correctly.
__________________
Up the Irons What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home. "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest Down with Sharon Osbourne Puzzle of the Month solved by sizeablegrin, etienne141 and L7Sqr, superior C/C++ programmers of the month
|
|
#3
December 31st, 2007, 06:33 AM
|
|||
|
|||
|
I know all that of how SQL Injection is performed but anyway you clear my doubt.
It was simple by using that Ruby procedure that you mention at the end of your reply it will clean unwanted characters from the string. Thanks.
|
|
| Viewing: Dev Shed Forums > Programming Languages > Ruby Programming > SQL Injection and Ruby |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
