tags:

views:

38

answers:

2
Q: 

rails is Model.new safe from sql injection?

Does ModelName.new protect against sql injection?

Example:

@user = User.new(params[:user])

@user.save

I've read the rails security docs and didn't see anything about inserts via Model.new.

Thanks!

A: 

yes it protect against sql injection and is safe as params[:user] is HASH

you can check it with follwing example i assumr you get some invalid values in params[:user][:name]

  @user= User.new(params[:user])

  @user.save

AND

  @user= User.new()
  @user.name=params[:user][:name]  #your application may crash here or this is not sql injection safe
  @user.save

To avoid this you can use hash

  @user= User.new({:name=>params[:user][:name]})
  @user.save

After reading this i came to conlcusion neither .new & .save are safe from sql injection

Edited

The mass-assignment feature may become a problem, as it allows an attacker to set any model’s attributes by manipulating the hash passed to a model’s new() method:

PLEASE READ 6 Mass Assignment for it's Problems and 6.1 Countermeasures for solution

Salil  2010-07-07 07:14:41
can you explain why the former is safer than the latter? thanks.
apeacox  2010-07-07 11:25:57
Thanks! Are there any rails docs that explain this? I know the security docs talk about find, but not about create/save.
bandhunt  2010-07-07 18:01:04
@Salil - Take a look at http://guides.rubyonrails.org/security.html#mass-assignment . What you are saying is completely the opposite of what Rails security docs say .
NM  2010-07-07 20:41:54
+2  A: 

Model.new has nothing to do with SQL injection as it is not the method that writes to the database .
It is the Model.save that actually writes to the database and takes care of SQL injection .

NM  2010-07-07 08:22:31
you mean if i assign value individually and then use `Model.save` it will take care of SQL injection. if Yes, `you are wrong`
Salil  2010-07-07 09:39:42
Look at this http://stackoverflow.com/questions/2144778/sql-injection-prevention-for-create-method-in-rails-controller . And http://guides.rubyonrails.org/security.html#mass-assignment .
NM  2010-07-07 10:45:00
@NM - so ANY .save is always safe from injection? Since you can't do raw SQL with .save? Also, mass assignment has nothing to do with this.
bandhunt  2010-07-07 17:57:34
@bandhunt - Take a look at this http://guides.rubyonrails.org/security.html#mass-assignment . Mass assignment has a role to play in this as someone might corrupt the hash that is passed to the new method and hence overwrite database values . So it is always a good practice to whitelist your mass assignment variables through attr_accessible . Hope that helps .
NM  2010-07-07 20:39:36
Thanks! Yeah, I have a whitelist in my model is what I was trying to say. I was just wondering about sql injection right now.
bandhunt  2010-07-08 16:14:11

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP