Created
October 21, 2011 16:33
-
-
Save karthiks/1304274 to your computer and use it in GitHub Desktop.
Custom finders and SQL Injections
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ################################## Yucky code ################################## | |
| find_by_name name | |
| User.all( :conditions => "first_name LIKE #{name}% OR last_name LIKE #{name}%") #prone to SQL injection. Imagine the parameter name = "1; drop table users;" | |
| end | |
| ############################################################################################################################ | |
| # For Active Record to sanitize the input parameters from SQL Injection of sorts, you may adopt one of the following styles: | |
| find_by_name name | |
| User.all( :conditions => ["first_name LIKE '?' OR last_name LIKE '?'",name,name]) | |
| end | |
| find_by_name name | |
| User.all( :conditions => ["first_name LIKE :name OR last_name LIKE :name", {:name => name+'%'} ]) | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment