Avoiding SQL Injection

527 views
Skip to first unread message

Richard

unread,
Jul 1, 2009, 5:38:23 PM7/1/09
to sinatrarb
Hello,

I have some forms that take input from the user and save them to a
database with DataMapper. I have been unsuccessful at finding a
definitive answer but does DM offer any SQL sanitizing or is there a
good ruby library out there that will do this?

Thanks!

Jonathan Stott

unread,
Jul 1, 2009, 6:01:56 PM7/1/09
to sina...@googlegroups.com

Hi Richard

If you use the create/new/all/first api (i.e. avoid raw SQL methods like find_by_sql and execute), DataMapper uses the database's own quoting functions to insert and query the database with user supplied params. So there shouldn't be any risk of SQL injection while using DM.

Regards,
Jon

Richard

unread,
Jul 1, 2009, 6:23:43 PM7/1/09
to sinatrarb
On Jul 1, 3:01 pm, Jonathan Stott <jonathan.st...@gmail.com> wrote:
> On Wed, 1 Jul 2009 14:38:23 -0700 (PDT)
>
Great, thanks!

I was thinking that since I saw a lot of examples use DM from input
forms directly but you can't be too safe with this kind of thing.

Richard
Reply all
Reply to author
Forward
0 new messages