This problem is actually a different one to the YAML one. Yes, MySQL is being dumb, but really it's just that the params object used to always return strings, now it returns other types. Undoubtedly, even without MySQL, that may well cause bugs/vulnerabilities in code that's expecting strings to come out of parameters to controllers.
On Thu, Feb 7, 2013 at 8:22 AM, Tim Uckun <[email protected]> wrote: > > > > I guess the only solution really is to not use MySQL :/ > > > > Although that's a good idea in general I would argue that the only > solution really is for the rails YAML parser not to be so liberal with > tainted strings. I won't go into why the entire ruby taint mechanism > is lame but at least rails could adopt this gem > https://github.com/dtao/safe_yaml > > Yes mysql sucks and it's really easy for us postgres snobs to point > and laugh at people who use mysql but by the same token other > framework snobs can point and laugh at rails and say "this framework > allows instantiation of objects from tainted strings and therefore > should be avoided". > > The only real solution is for rails to treat tainted strings in a much > more strict matter. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rails-oceania?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rails-oceania?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
