Security, sanitizing search
26 views
Skip to first unread message
anatoly
Jun 4, 2009, 12:47:40 AM6/4/09
to Thinking Sphinx
I'm reviewing security in general for my site. One thing I am not
sure about yet is whether there is any sanitation / sql injection
counter measures within TS. Would like to hear any tips on this
topic, with respect to searching with TS. Many thanks.
sure about yet is whether there is any sanitation / sql injection
counter measures within TS. Would like to hear any tips on this
topic, with respect to searching with TS. Many thanks.
Pat Allan
Jun 5, 2009, 12:48:11 AM6/5/09
to thinkin...@googlegroups.com
There's a few areas to cover:
Sphinx Searching
- does not use SQL, and cannot modify data, so this is safe.
Underlying searches for ActiveRecord objects, using search results
from Sphinx
- Uses hash arguments in #find calls - which ActiveRecord sanitises,
I'm pretty certain
- Can pass arguments to :order option if using :sql_order in your
search calls. Does AR sanitise :order?
Sphinx Indexing
- Uses SQL statements
- Only defined within a define_index block - so you'd have to have
some Ruby injection happening to have any effect on that (to change
the sql contents and then regenerate the config file and re-index
Sphinx).
--
Pat
Sphinx Searching
- does not use SQL, and cannot modify data, so this is safe.
Underlying searches for ActiveRecord objects, using search results
from Sphinx
- Uses hash arguments in #find calls - which ActiveRecord sanitises,
I'm pretty certain
- Can pass arguments to :order option if using :sql_order in your
search calls. Does AR sanitise :order?
Sphinx Indexing
- Uses SQL statements
- Only defined within a define_index block - so you'd have to have
some Ruby injection happening to have any effect on that (to change
the sql contents and then regenerate the config file and re-index
Sphinx).
--
Pat
Reply all
Reply to author
Forward
0 new messages