Rails: allow free text sql filter and still avoid sql injection

Question

Hi,

I have a requirement where a screen allows and end user to create a filter that is basically any valid sql fragment. For reasons beyond my control this is what is needed so I need to work within this boundary.

This sql fragment gets appended to a where clause in a sql statement.Currently to avoid anything to nasty going on the login that runs the sql is limited to select operations on the required tables.

Is there any way in Rails (2.3) that I can mitigate any risk of sql injection attacks but still allow free text input so very complex filter criteria can be specified?

Cheers

Answer 1

Add second connection with deny all access policy with read only access granted to specific database and choosen tables or views of tables without sensitive columns. View names can be same as table names if you introduce separate schema. Of course your DBMS must support all these features. Once you do it well DB will take care of all security.

Security by syntax is very hard to guarantee - depends on database SQL syntax features (and bugs) as databases have their own sqlinjection tricks. Also it is hard to properly detect what is wrong by simple parser eg.: [DELETE FROM] but [SELECT * FROM X WHERE name LIKE "%delete from our records%"] - finally it would be easier to implement simple ala-SQL-DSL parser and translate AST to SQL with escaping of non token items. But still very complex and with risk.