What is a good method in Ruby to prevent SQL Injection?
+2
A:
Not just in Ruby - bind your parameters (be it in the database, or in your client code).
davek
2010-02-13 19:52:12
+1
A:
Check out the guide they have up on this: http://guides.rubyonrails.org/security.html#injection
Basically, you want to use bind variables in your models to find data, rather than inline parameters..
Model.find(:first, :conditions => ["login = ? AND password = ?", entered_user_name, entered_password])
Dan McNevin
2010-02-13 19:54:32
Yes, this does look good. Pretty much what I am used to in Java, thanks.
Zombies
2010-02-13 19:55:25
You should at least mention that you're talking about active record.
sepp2k
2010-02-13 20:02:48
I was just about to comment on this.. in my haste, I forgot to read that it was not specifically for Rails/ActiveRecord.. sorry about that!
Dan McNevin
2010-02-13 20:05:10
+2
A:
in straight up ruby? use prepared statements:
require 'mysql'
db = Mysql.new('localhost', 'user', 'password', 'database')
statement = db.prepare "SELECT * FROM table WHERE field = ?"
statement.execute 'value'
statement.fetch
statement.close
Mike Sherov
2010-02-13 20:00:49
My problem with this is that it returns an array of results as opposed to a field or something much more manageable.....
Zombies
2010-02-14 03:31:24
This Is just an example of how to use prepared statements for a select query. What you do with the results is up to you.
Mike Sherov
2010-02-14 13:59:26