AnApprentice
Reputation: 110970
Rails - is this safe? taking a URL param to query the DB?
Does Rails automatically protect against vulnerabilities of doing something like:
Given a URL: http://a.com/?id=3131313131313
then in the rails controller
@comment = Comment.find(params[:id])
Does Rails auto protect that, or do I need to do some type of validation to protect the app from hackers?
Thanks
Upvotes: 5
Views: 2159
Answers (2)
fl00r
Reputation: 83680
Yes. It will take your params and sanitize that, if you are worrying about sql injection. But better approach is to use url like http://a.com/31343231. It is quite simple to make, but looks better
Upvotes: 2
Marcel Jackwerth
Reputation: 54762
ActiveRecord find will always use .to_i to prevent all SQL injection magic.
Rails will also auto-escape stuff in queries like this:
Comment.where(["id = ?", params[:id]])
But not in
Comment.where("id = #{params[:id]}")
Upvotes: 6
Related Questions
- Is This a Safe Way to Permit Params in Rails on the Back End?
- Rails 5, Passing param to query - is it secure?
- Safe way to load url stored in database?
- Is it safe to populate forms with params values?
- Rails: query params in the url
- Rails: Sql injection concern?
- Rails 3 - Is this SQL safe?
- Rails, SQL Injection, and Params
- Is this prone to SQL injection?
- Rails and SQL Injection: Is this safe?