Reputation: 13571
rails active record nuances and protecting against injection attacks
When I make a query...
is there any meaningful difference between using a find_by helper or not?
Are there any reasons I'm overlooking for opting for shorter lines of code when doing things like this?
Booking.find_all_by_user_id(1, :joins => :confirmation)
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = ?', 1] )
Upvotes: 0
Views: 1643
Answers (2)
Reputation: 5617
What you're looking for is in here:
http://guides.rubyonrails.org/security.html#sql-injection
AND
http://guides.rubyonrails.org/security.html#mass-assignment
Be sure to read both carefully.
Upvotes: 2
Reputation: 23990
No, regarding injection attacks.
The find_by method should be safe. However the only killer mistake is to use user input directly inside your conditions param when using find method, like doing:
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = #{params[user_id]]}'] )
Of course the right one is the way you did it and find method will filter things up.
Booking.find(:all, :joins => :confirmation, :conditions => [ 'bookings.user_id = ?', params[user_id]] )
Upvotes: 3
Related Questions
- Is this vulnerable to sql injection or not?
- Rails methods vulnerable to SQL injection?
- SQL Injection and ActiveRecord
- Should this be considered an SQL injection risk?
- Rails preventing SQL injections
- Protecting against sql injection using activerecord
- Rails: Sql injection concern?
- Rails SQL injection?
- Protecting against SQL injection in Rails
- ruby on rails does update_attributes protect against sql injection?