Le 2013-01-21 à 10:23, Johnny a écrit :
> What about if I do something like Animal.create(:description =>
> params['description')? Description is a string parameter and wouldn't I be in
> trouble if it included an attack? Something along the lines of Bobby Drop
> Tables?
Sequel automatically escapes values, so the final SQL statement will look
something like:
INSERT INTO animals(description) VALUES ('''; DROP TABLE animals --')
Notice the literal quote in the description value was correctly escaped.
Bye,
François
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en.
