Railscasts - SQL Injection

#25

Apr 30, 2007

SQL Injection

One of the most common security problems for dynamic sites is SQL Injection. Thankfully Rails does everything it can in solving this issue, but you still need to be aware of it.

Tags: security active-record forms

Download (16.3 MB, 5:29)

alternative download for iPod & Apple TV (8.7 MB, 5:29)

Read it on ASCIIcasts

# tasks_controller.rb
def index
  @tasks = Task.find(:all, :conditions => ["name LIKE ?", "%#{params[:query]}%"])
end

< Previous Episode

Next Episode >

27 comments

1. InMan Apr 30, 2007 at 07:48

Thanks for another tip :)

Report as Spam

2. Nobody Apr 30, 2007 at 15:44

God, I love this site.

Report as Spam

3. Rebort Apr 30, 2007 at 16:21

Great tips.

Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.

See: http://en.wikipedia.org/wiki/Session_hijacking

Report as Spam

4. Ryan Bates Apr 30, 2007 at 20:46

@Robort, good point! Thanks for bringing that up.

To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.

Report as Spam

5. Nicolás Sanguinetti May 01, 2007 at 09:48

Nice 'cast, as always :)

There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)

Report as Spam

6. Martin Kjems May 18, 2007 at 01:07

This is the best website on the entire planet.

Question:
Why is it that the percentage signs can not be arround the qustionmark in this statement but need to be in the second argument with the params[:query]?

Task.find(:all, :conditions=>["name LIKE ?", '%' + params[:query] + '%' ])

Thanks

Report as Spam

7. Trevor Turk May 21, 2007 at 00:01

Is there any reason Rails shouldn't just escape the "params" and "cookies" hashes, no matter where you put them in your code?

That would mean "escaping" the conditions hash as a whole, which might be harder than escaping each value one by one.

Seems like a good idea to me, just because stuff is easier to understand when written the insecure way - to me at least.

Report as Spam

8. 殊麒 Aug 12, 2007 at 20:20

非常感谢，可以有这么好的视频来了解和学习rails

Report as Spam

9. Gary Dec 06, 2007 at 18:23

Thanks very much for the episodes and best wishse.

I learned a lot from here.

Report as Spam

10. Cicero Jan 03, 2008 at 09:09

I like big tips and I can not lie!!!

Report as Spam

11. Snailrails Feb 04, 2008 at 06:20

Here is a short informative post I wrote on SQL injections!
http://www.snailrails.com/2008/1/sql-injection

Report as Spam

12. someone Dec 14, 2008 at 21:08

Great site - very useful - I love it. this episode rocks!

Report as Spam

13. Tasyuta Feb 15, 2010 at 05:15

Thanks for blog!!!!Its very nice!!!

Report as Spam

14. Tanyura Feb 20, 2010 at 06:34

Thank you! It is wonderful!

Report as Spam

15. Arsyusha Feb 21, 2010 at 09:43

It is amazing! Thanks!

Report as Spam

16. Marimyanka Feb 22, 2010 at 10:46

Very useful information!

Report as Spam

17. Vlada Feb 23, 2010 at 07:27

this is just perfect!

Report as Spam

18. Galka Feb 24, 2010 at 14:11

It is amazing! Thanks!

Report as Spam

19. Irena Feb 26, 2010 at 13:31

Thanks for blog!!!!Its very nice!!!

Report as Spam

20. Tonya Feb 27, 2010 at 09:43

I read it with the lot of pleasure! Thanks!

Report as Spam

21. Gotya Mar 01, 2010 at 04:06

It is marvellous! I like it!

Report as Spam

22. Ama Mar 02, 2010 at 02:44

Thanks! It is beautiful!!

Report as Spam

23. Lidusha Mar 09, 2010 at 11:54

The blog is super! Thanks for it!

Report as Spam

24. Ritusya Mar 10, 2010 at 11:53

Good matherial.

Report as Spam

25. Nikusha Mar 11, 2010 at 07:07

I think i have same problem too

Report as Spam

26. jhj1989 Mar 17, 2010 at 01:50

ghd iv styler hair straightener is used to straighten hair, high-temperature electronics. The main body of the temperature through a heat conduction to a metal plate or ceramic plate surface, the surface temperature is set at 200 degrees, through which heat up 200 degrees of the splint to straighten the hair.

Report as Spam

27. yyl Mar 17, 2010 at 02:25

The new GHD.IV Styler is one of many hair care products in the most popular, which makes it easy for colleges and universities has straight hair. So you can always have a beautiful flowing straight hair, the use of imported PTC heating elements, fast heat up 180 degrees temperature does not harm hair, smooth ceramicsurface, straightened hair

Report as Spam

SQL Injection

27 comments

Add your comment: