pratski
Reputation: 1488
Rails: Sql injection concern?
My controller finds a user using:
@user = User.find_by_identifier!(params[:id])
In my Users model, i have
class User < ActiveRecord::Base
def to_param
identifier
end
private
def create_identifier
SecureRandom.urlsafe_base64(9)
end
end
Question: Is this safe from an SQL injection point? And how so, since I have no clue about SQL injection despite reading various articles.
Upvotes: 1
Views: 87
Answers (1)
Jared Beck
Reputation: 17528
A quick experiment in my own console indicates that find_by_identifier! is safe against SQL injection.
irb(main):005:0> User.find_by_email! "i am sneaky '; drop table woot;"
User Load (0.8ms) SELECT "users".* FROM "users" WHERE "users"."email" = 'derp ''; drop table woot;' LIMIT 1
Notice how the generated SQL query escapes the malicious single-quote.
I believe that the to_param and create_identifier in your model are irrelevant.
Upvotes: 2
Related Questions
- Is this vulnerable to sql injection or not?
- Rails methods vulnerable to SQL injection?
- Rails SQL injection vulnerability
- SQL Injection in Rails
- Rails preventing SQL injections
- Is this Ruby on Rails code vulnerable to SQL injection?
- Rails SQL injection?
- Rails, SQL Injection, and Params
- Is this prone to SQL injection?
- Protecting against SQL injection in Rails