Reputation: 147
SQL injections in Rails 4 issue
I'm trying to learn about SQL injections and have tried to implement these, but when I put this code in my controller:
params[:username] = "johndoe') OR admin = 't' --"
@user_query = User.find(:first, :conditions => "username = '#{params[:username]}'")
I get the following error:
Couldn't find all Users with 'id': (first, {:conditions=>"username = 'johndoe') OR admin = 't' --'"}) (found 0 results, but was looking for 2)
I have created a User Model with the username "johndoe", but I am still getting no proper response. BTW I am using Rails 4.
Upvotes: 2
Views: 59
Answers (2)
Reputation: 1849
User.where(attr1: value, attr2: value2)
or for single items
User.find_by(attr1: value, attr2: value)
Bear in mind that while doing all this, it would be valuable to check what the actual sql statement is by adding "to_sql" to the end of the query method (From what I remember, find_by just does a LIMIT by 1)
Upvotes: 1
Reputation: 239260
You're using an ancient Rails syntax. Don't use
find(:first, :condition => <condition>) ...
Instead use
User.where(<condtion>).first
find accepts a list of IDs to lookup records for. You're giving it an ID of :first and an ID of condition: ..., which aren't going to match any records.
Upvotes: 2
Related Questions
- Need to avoid SQL Injection in Rails3
- Rails SQL injection vulnerability
- Rails 5 SQL Injection
- Rails possible SQL injection error
- Rails: Still confused about SQL Injection
- SQL Injection in Rails
- Rails: Sql injection concern?
- Rails SQL injection?
- How do I avoid sql injections?
- SQL injection on Activerecord query