[Rails-core] Re: Executing Multiple SQL Statements for MySQL Adapter

Thu, 19 Feb 2009 07:03:51 -0800 

Sure, I wasn't trying to argue your point.  I was just suggesting that
there does exist legitimate circumstances where you'd want to
circumvent this "protection."  Jonathon, are you suggesting that due
to the risks, we shouldn't allow any way to (even in a very localized
fashion) allow us to bypass that?

I can phrase the question another way.  Would you write the following
chunk of code in a different way?

sql = <<-SQL
  <statement_1>;
  <statement_2>;
  <statement_3>;
SQL

sql.strip.split(';').each do |s|
  ActiveRecord::Base.connection.execute(s)
end

(btw, I realize there's wasted cycles here in splitting what amounts
to a static string....my code looks like this so that I can debug
easier directly in the mysql shell by copying/pasting that chunk.
Furthermore, it just reads a lot nicer to any dev coming behind me)

Perhaps the best answer is simply going with a stored procedure?

-John

On Feb 19, 8:01 am, Jonathan Weiss <j...@innerewut.de> wrote:
> > This said, I'd argue that avoiding this option to prevent SQL
> > Injection is a "paranoid configuration."  In other words, the DB admin
> > doesn't necessarily trust his application devs.  If we just sanitize
> > all input (which is what we're supposed to do anyway when receiving
> > data from the client), you'd avoid this, no?
>
> Paranoid configurations are exactly the thing you want from a security
> standpoint. Defense in depth is very important. Is it not that the DB
> admin does not trust his devs but that they are not perfect and make
> mistakes.
>
> Jonathan
>
> --
> Jonathan Weisshttp://blog.innerewut.dehttp://twitter.com/jweiss
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to 
rubyonrails-core+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to