What about if I do something like Animal.create(:description =>
params['description')? Description is a string parameter and wouldn't I be
in trouble if it included an attack? Something along the lines of Bobby
Drop Tables <http://xkcd.com/327/>?
On Sunday, January 20, 2013 7:38:34 PM UTC+2, Jeremy Evans wrote:
>
> On Sunday, January 20, 2013 4:12:40 AM UTC-8, Johnny wrote:
>
>> How do I protect against attacks when utilizing Sequel models for
>> database interactions?
>>
>
> Unless you do something like:
>
> DB[:users].where("id = #{params['id']}")
>
> You should probably be OK. Sequel encourages the following API:
>
> DB[:users].where(:id => params['id'])
>
> Though you can also use placeholders with strings:
>
> DB[:users].where("id = ?", params['id'])
>
> Personally, I'm paranoid and I tend to do the following:
>
> DB[:users].where(:id => params['id'].to_i)
>
> as I want to make absolutely sure I'm using the type I'm expecting. I
> encourage using such type casting methods (e.g. to_s, to_i) if possible.
> If I am expecting an array, I generally preprocess it in a similar manner:
>
> DB[:users].where(:id => params['ids'].map{|s| s.to_i})
>
> Thanks,
> Jeremy
>
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/sequel-talk/-/QlGCSKnlf4kJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en.
