Reputation: 11
How to escape strings in postgres like sql statements?
I am using Rails for a project with postgresql as the underlying database. I have a search form that needs a few modifications. Specifically, I need to ensure that if some one type in something like 'drop table allusers', I don't have a disaster on my hands. IS there anyway I can restrict the dearch to one table only and ensure that searching for something like "drop table allusers" doesn't drop the table but just return results?
Upvotes: 1
Views: 1899
Answers (2)
Reputation: 13686
The simplest approach would probably be to make sure that you've got your database roles set up correctly. The role that the query is executing under should only be able to do what you want it to do. It sounds like you only want the role that your web application is using to connect to the database to be able to issue SELECT statements against the allusers table. If this is the case, then create a role, and grant it the SELECT privilege on the allusers table.
Some more information on database roles and granting access privileges can be found in the PostgreSQL documentation.
Upvotes: 0
Reputation: 52372
If you're using ActiveRecord to do all the querying, and placeholders (?) wherever you have parameters to pass in, then there's nothing to worry about. The data is being escaped and user input can't change the nature of the query.
http://guides.rubyonrails.org/security.html#sql-injection
Upvotes: 3
Related Questions
- escaping query for SQL LIKE in rails
- How do I properly escape double quotes in a PostgreSQL like query?
- Escaping Quotes in Rails Query
- Escaping special characters in ruby
- Handling escape sequence in query params in rails app server with Postgres
- postgres escape characters
- postgres avoiding extra quotes inside a string
- Rails - escaping SQL params
- Escaping strings in ActiveRecord where using prepared statements isn't possible
- Rails 3.1 - escaping user's input