Avoiding SQL Injection
531 views
Skip to first unread message
Richard
Jul 1, 2009, 5:38:23 PM7/1/09
to sinatrarb
Hello,
I have some forms that take input from the user and save them to a
database with DataMapper. I have been unsuccessful at finding a
definitive answer but does DM offer any SQL sanitizing or is there a
good ruby library out there that will do this?
Thanks!
I have some forms that take input from the user and save them to a
database with DataMapper. I have been unsuccessful at finding a
definitive answer but does DM offer any SQL sanitizing or is there a
good ruby library out there that will do this?
Thanks!
Jonathan Stott
Jul 1, 2009, 6:01:56 PM7/1/09
to sina...@googlegroups.com
Hi Richard
If you use the create/new/all/first api (i.e. avoid raw SQL methods like find_by_sql and execute), DataMapper uses the database's own quoting functions to insert and query the database with user supplied params. So there shouldn't be any risk of SQL injection while using DM.
Regards,
Jon
Richard
Jul 1, 2009, 6:23:43 PM7/1/09
to sinatrarb
On Jul 1, 3:01 pm, Jonathan Stott <jonathan.st...@gmail.com> wrote:
> On Wed, 1 Jul 2009 14:38:23 -0700 (PDT)
>
> On Wed, 1 Jul 2009 14:38:23 -0700 (PDT)
>
I was thinking that since I saw a lot of examples use DM from input
forms directly but you can't be too safe with this kind of thing.
Richard
Reply all
Reply to author
Forward
0 new messages