On Sunday, January 20, 2013 4:12:40 AM UTC-8, Johnny wrote:
> How do I protect against attacks when utilizing Sequel models for database
> interactions?
>
Unless you do something like:
DB[:users].where("id = #{params['id']}")
You should probably be OK. Sequel encourages the following API:
DB[:users].where(:id => params['id'])
Though you can also use placeholders with strings:
DB[:users].where("id = ?", params['id'])
Personally, I'm paranoid and I tend to do the following:
DB[:users].where(:id => params['id'].to_i)
as I want to make absolutely sure I'm using the type I'm expecting. I
encourage using such type casting methods (e.g. to_s, to_i) if possible.
If I am expecting an array, I generally preprocess it in a similar manner:
DB[:users].where(:id => params['ids'].map{|s| s.to_i})
Thanks,
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/sequel-talk/-/ghytTvYGpYgJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en.
