Tom Ha wrote: > Hi there, > > is it correct that one should always use both... > > 1. > sanitize(params[:whatever_external_or_user_input_to_save_to_database]), > AND > 2. h(@whatever_database_record_to_display_on_page) > > ...in order to have the highest security level?
AFAIK, sanitize should not be necessary -- ActiveRecord uses parameterized queries, which already protect against SQL injection without further sanitization. (If you write your own SQL, your queries should also be parameterized.). h, on the other hand, is not about security so much as it is about keeping markup valid and correct. You should definitely use it on anything that comes from the DB, unless you're deliberately storing HTML code in there. BTW, if you use Haml (highly recommended), it has a very useful shorthand construct for this (&= instead of h), and you can even turn on HTML escaping as a global default. Best, -- Marnen Laibow-Koser http://www.marnen.org [email protected] -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
