rails named scopes and sql injection

[and...@benjamin.dk]

HI guys,

I just came through an example on code of the place I work for that said something like this could be vulnerable to sql injection attacks:

scope :with_name, lambda { |name| where("LOWER(name) LIKE ?", name.downcase) }

I wonder if this is true. My thought is that rails should escape this and that anything that tried to do something different would fail on the translation to SQL, but does anybody know exactly what happens behind the curtains?

all the best,

Andre

[Matt Jones]

Everything that's inserted into placeholders (the ? above) is escaped - so characters like ' will not break the SQL quoting and allow mischief. Modern Rails versions will even use prepared statements to do this, if your DB adapter supports them.

Your colleague may have been thinking of the (similar but NOT SECURE) form:

scope :with_name_plus_HAX, lambda { |name| where("LOWER(name) LIKE '#{name}'") }

Here the variable is manually interpolated, and will NOT get any escaping. DON'T DO THIS. :)

--Matt Jones

[Julian Leviston]

AFAIK, using the array syntax, or the syntax you used in the where IS NOT vulnerable to injection attacks. This matches up with my experience.

You can try this out yourself to verify.

Julian

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/sUZMdFuzGT0J.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[and...@benjamin.dk]

I just dont have the time right now to try this. just wanted to see if there was any documentation the subject because I couldnt find anything that would tell me otherwise. but thanks for your help guys :)

[Julian Leviston]

It'd take less time that replying to this email.

You should always teach yourself with micro-experiments where possible IMHO.

Julian

To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-talk/-/VOAgpv4-pCwJ.