Using the place holder syntax to protect against SQL injection attacks in Ruby on Rails.
Worried about how to protect against SQL injection attacks in Ruby on Rails, I posted a question to Ruby on Rails list. My question (in response to an ongoing discussion) was:
No, I am not using a direct value from the forms.Ezra Zygmuntowicz was quick to come to my rescue. She says
However, I would appreciate if you can tell me how would one add slashes to the string, or replace the quotes from the input value. I know it can be done in PHP using addslashes and str_replace. What are the appropriate functions in Ruby on Rails?
I am sure many of us starting out on ROR would benefit from your answer.
Thanks for your assistance.
Frank-Thanks to Ezra for her assistance.
You do not need to call any special functions to add slashes or escape things for the database in rails as long as you use the place holder syntax. So if you just get in the habit of always using the ? placeholders like you were shown with the snippet below, you will not have to worry about escaping anything before inserting or querying the db:def self.home_categories (portal_id)
find(:all, :conditions => [ "portal_id=?", portal_id ] )
endThis is the important syntax:
:conditions => [ "portal_id=?", portal_id ]
Cheers--Ezra
Frank
by Frank @ 10:26 PM
2 comments
2 Comments:
How do you format them if you have multiple placeholders?
More placeholders - more array elements:
:conditions => [ "portal_id=? and user_id = ?", portal_id, user_id ]
Post a Comment
<< Home