#25 SQL Injection

Great tips.

Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.

See: http://en.wikipedia.org/wiki/Session_hijacking

@Robort, good point! Thanks for bringing that up.

To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.

Nice 'cast, as always :)

There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)

This is the best website on the entire planet.

Question:
Why is it that the percentage signs can not be arround the qustionmark in this statement but need to be in the second argument with the params[:query]?

Task.find(:all, :conditions=>["name LIKE ?", '%' + params[:query] + '%' ])

Thanks

Is there any reason Rails shouldn't just escape the "params" and "cookies" hashes, no matter where you put them in your code?

That would mean "escaping" the conditions hash as a whole, which might be harder than escaping each value one by one.

Seems like a good idea to me, just because stuff is easier to understand when written the insecure way - to me at least.

非常感谢，可以有这么好的视频来了解和学习rails

Thanks very much for the episodes and best wishse.

I learned a lot from here.

I like big tips and I can not lie!!!

Here is a short informative post I wrote on SQL injections!
http://www.snailrails.com/2008/1/sql-injection

When using :conditions => ["name LIKE ?", "%#{params[:query]}%"], it seems like character '%' in params[:query] won't be escaped to '\%'. Is there any way to fix this without replacing the param?

This episode has been updated for Rails 5 as a blog post. SQL Injection in Rails 5 Apps