#25
Apr 30, 2007
12 comments

SQL Injection

One of the most common security problems for dynamic sites is SQL Injection. Thankfully Rails does everything it can in solving this issue, but you still need to be aware of it.
Tags: security active-record forms
Download (16.3 MB, 5:29)
alternative download for iPod & Apple TV (8.7 MB, 5:29) 
# tasks_controller.rb
def index
  @tasks = Task.find(:all, :conditions => ["name LIKE ?", "%#{params[:query]}%"])
end

RSS Feed for Episode Comments 12 comments

1. InMan Apr 30, 2007 at 07:48

Thanks for another tip :)

2. Nobody Apr 30, 2007 at 15:44

God, I love this site.

3. Rebort Apr 30, 2007 at 16:21

Great tips.

Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.

See: http://en.wikipedia.org/wiki/Session_hijacking

4. Ryan Bates Apr 30, 2007 at 20:46

@Robort, good point! Thanks for bringing that up.

To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.

5. Nicolás Sanguinetti May 01, 2007 at 09:48

Nice 'cast, as always :)

There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)

6. Martin Kjems May 18, 2007 at 01:07

This is the best website on the entire planet.

Question:
Why is it that the percentage signs can not be arround the qustionmark in this statement but need to be in the second argument with the params[:query]?

Task.find(:all, :conditions=>["name LIKE ?", '%' + params[:query] + '%' ])

Thanks

7. Trevor Turk May 21, 2007 at 00:01

Is there any reason Rails shouldn't just escape the "params" and "cookies" hashes, no matter where you put them in your code?

That would mean "escaping" the conditions hash as a whole, which might be harder than escaping each value one by one.

Seems like a good idea to me, just because stuff is easier to understand when written the insecure way - to me at least.

8. 殊麒 Aug 12, 2007 at 20:20

非常感谢,可以有这么好的视频来了解和学习rails

9. Gary Dec 06, 2007 at 18:23

Thanks very much for the episodes and best wishse.

I learned a lot from here.

10. Cicero Jan 03, 2008 at 09:09

I like big tips and I can not lie!!!

11. Snailrails Feb 04, 2008 at 06:20

Here is a short informative post I wrote on SQL injections!
http://www.snailrails.com/2008/1/sql-injection

12. kino May 23, 2008 at 01:53

Philosophy (and it must not be supposed that this is true) may not contradict itself, but it is still possible that it may be in contradiction with the Categories, by means of analytic unity.

Add your comment:

(SKIP THIS ONE)

(required)

(not shown)


(use pastie or gist for code)

navigation:
sponsored by:
tags:
if you want to help:
required:
Get Quicktime Player