#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2003
    Posts
    17
    Rep Power
    0

    SQL Injection and Ruby


    I searched a lot in the internet about SQL Injection + Ruby

    But I never found an article that can explain me something clearly.

    I know that the following approach will help reduce SQL Injection attacks.

    User.find(:first, :conditions => ["login = ? AND password = ?", params[:name],
    params[assword]])




    I found a page in where someone says that the parameters will be somewhat "sanitized".

    The question is:

    What he mean by sanitized, in which way the parameters are going to be filtered?
  2. #2
  3. Banned ;)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Nov 2001
    Location
    Woodland Hills, Los Angeles County, California, USA
    Posts
    9,594
    Rep Power
    4207
    You need to first understand what SQL injection is all about. The concept works like this:

    Assume you're building a SQL statement by hand:
    Code:
    sql = "select * from table where param = '#{params[:foo]}' "
    (or)
    Code:
    User.find(:first, :conditions => ["login = #{params[:name]} AND password = #{params[:password]}" )
    The problem with this approach is that someone can pass a ' in the parameter and break your code. For instance, if I pass "Tim O' Reilly" in there, the SQL will break because of the quote. (i.e.) it will transform to:
    Code:
    select * from table where param = 'Tim O' Reilly'
    I won't specify how you can misuse this to cause evil here, but you may be able to figure out for yourself. Regardless, the problem is caused here because we put the parameter into the SQL string directly.

    The solution is to write some code to properly format the SQL string. For instance:
    Code:
    sql = "select * from table where param = '" + fix_quotes(params[:foo]) + "' "
    where fix_quotes is some function that you wrote yourself to format the quotes. After this function runs, the string comes out looking like this:
    Code:
    select * from table where param = 'Tim O\' Reilly'
    or some such. The problem with rolling your own functions is:
    1. You need to write the code to do this:
    2. You don't know if you've covered all the special characters or not. For instance, I could pass \ in my params and your SQL would break again.

    Ruby gives you an alternative to these problems:
    Code:
    User.find(:first, :conditions => ["login = ? AND password = ?", params[:name],
    params[:password]])
    In this case, the SQL is not built directly. Instead, the parameter places are marked with ?. When rails sees this, it will replace the ? with the proper argument and automatically fix them so that special characters don't break the SQL. You can rely on rails doing it all for you and doing it correctly.
    Up the Irons
    What Would Jimi Do? Smash amps. Burn guitar. Take the groupies home.
    "Death Before Dishonour, my Friends!!" - Bruce D ickinson, Iron Maiden Aug 20, 2005 @ OzzFest
    Down with Sharon Osbourne

    "I wouldn't hire a butcher to fix my car. I also wouldn't hire a marketing firm to build my website." - Nilpo
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2003
    Posts
    17
    Rep Power
    0
    I know all that of how SQL Injection is performed but anyway you clear my doubt.

    It was simple by using that Ruby procedure that you mention at the end of your reply it will clean unwanted characters from the string.

    Thanks.

IMN logo majestic logo threadwatch logo seochat tools logo