snow_leopard
Reputation: 1556
SQL injection in Rails in Where Clause
I have following line which was suspected of SQL injection by a static code analyzer:
Admin.joins(:accounts_admins).where(user_id: params[:user_u
ser_id], "members.account_id" => @account.id).first
To me, it looks safe as its using parameterized query. Let me know if anyone think otherwise.
Upvotes: 1
Views: 664
Answers (1)
Robert Nubel
Reputation: 7522
You're correct; Rails will convert the WHERE clause to use bound parameters and thus avoid the risk of SQL injection.
That said, as a best practice, you should leverage strong_parameters or some other form of parameter validation. As your code is written, a nil value will cause Rails to insert a WHERE user_id IS NULL expression. That's likely not a problem here, but in some cases it can cause unauthorized access.
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- Getting error: Peer authentication failed for user "postgres", when trying to get pgsql working with rails
- Are PDO prepared statements sufficient to prevent SQL injection?
- Understanding the Rails Authenticity Token
- How do I get the current absolute URL in Ruby on Rails?
- How can I rename a database column in a Ruby on Rails migration?
- How to drop columns using Rails migration
- How does the SQL injection from the "Bobby Tables" XKCD comic work?
- SQL injection that gets around mysql_real_escape_string()
- How to use wildcards in an active record where clause while protecting against sql injection