thank_you
Reputation: 11107
Rails, SQL Injection, and Params
I have this line of code inside of my controller.
user = User.find_by_email(params[:email])
Should I have to worry about SQL injection with this line of code? Most of the examples I've seen for sql injection involve conditionals. I would assume this is a yes but want some outside input.
Upvotes: 2
Views: 744
Answers (1)
Jay Truluck
Reputation: 1519
You should only have to worry about this in SQL fragment methods like where(), connection.execute() or find_by_sql(), although if you want to be sure you can use a method like sanitize_sql(). I would recommend reading through this, most notably section 8 for your case.
Update: For example
User.find_by_email("'' OR 1--")
would evaluate to
SELECT "users".* FROM "users" WHERE "users"."email" = $1 LIMIT 1 [["email", "'' OR 1--"]]
which would be sanitized.
Upvotes: 2
Related Questions
- Rails SQL injection vulnerability
- Rails 5 SQL Injection
- Rails: Still confused about SQL Injection
- SQL Injection in Rails
- Rails preventing SQL injections
- Rails: Sql injection concern?
- Rails SQL injection?
- Sql Injection Prevention and Converting Data in Rails
- Is this prone to SQL injection?
- Protecting against SQL injection in Rails