mysql - Is this Ruby on Rails code vulnerable to SQL injection? -
thanks this. i'm new rails (using rails 2, know isn't ideal it's necessary project.) i've got form several inputs. wanted make sure i'm protecting users against sql injection. think i've handled properly, wanted sure, inputs.
footwear.html.erb has form save shoes , socks tables
<% form_for @shoe, :html=>{:id=>'createanorder'} |f| %> <input id="shoe_name" name="shoename" size="30" type="text" value="new shoe"></p> <p>enter decoration top: <input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p> <p>or, select decoration list: <select id="topdecorationdropdown" name="topdecorationdropdown"> <option value=""> <% allshoe in @allshoe %> <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option> <% end %> </select> </p> <select multiple id="socks" name="socksselected[]"> <% sock in @sock %> <option selected value="<%= sock.name %>"> <%= sock.name %></option> <% end %> </select> <input type="checkbox" name="shipit" id="shipt" checked="true"> <p>enter decoration bottom: <input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p> <p>or, select decoration list: <select id="bottomdecorationdropdown" name="bottomdecorationdropdown"> <option value=""> <% allshoe in @allshoe %> <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option> <% end %> </select> </p> <input type="submit" id="savethisorder" value="save order or update order"> <% end %>
shoes controller
class shoescontroller < applicationcontroller # /shoes # /shoes.xml def index @shoe = shoe.all @sock = sock.all respond_to |format| format.html # index.html.erb format.xml { render :xml => @shoes } end end # /shoes/1 # /shoes/1.xml def show @shoe = shoe.find(params[:id]) @sock = sock.find(params[:id]) respond_to |format| format.html # show.html.erb format.xml { render :xml => @shoe } end end # /shoes/new # /shoes/new.xml def new @shoe = shoe.new @sock = sock.new respond_to |format| format.html # new.html.erb format.xml { render :xml => @shoe } end end # /shoes/1/edit def edit @shoe = shoe.find(params[:id]) @sock = sock.find(params[:id]) respond_to |format| format.html # edit.html.erb format.xml { render :xml => @activity } end end # post /shoes # post /shoes.xml def create @shoe = shoe.new(params[:shoe]) @shoe.name = params[:shoename] if !params[:topdecorationdropdown].blank? @shoe.decoration = params[:topdecorationinput] else @shoe.decoration = params[:topdecorationdropdown] topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip) @shoe.sparkletopdecorationdropdown = allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle end socks = params[:socksselected] socks.each |sock_info| sock = sock.new sock.sockdescription = sock_info sock.shoe = @shoe sockdecoration_array = sock_info.split(',').collect(&:strip) @sockisaset = allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]}) if @sockisaset sock.sparkle = allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle else sock.sparkle = nil end sock.save end if !params[:shipit].blank? @shoe.shipit = 1 else @shoe.shipit = 0 end if !params[:bottomdecorationdropdown].blank? @shoe.decoration = params[:bottomdecorationinput] else @shoe.decoration = params[:bottomdecorationdropdown] bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip) @shoe.sparklebottomdecorationdropdown = allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle end end respond_to |format| if @shoe.save format.html { redirect_to "/store" } format.xml { render :xml => @shoe, :status => :created} else format.html { render :action => "new" } format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity } end end end # put /shoes/1 # put /shoes/1.xml def update @shoe = shoe.find(params[:id]) respond_to |format| if @shoe.update_attributes(params[:shoe]) flash[:notice] = 'shoe updated.' format.html { redirect_to "/store" } format.xml { head :ok } else format.html { render :action => "edit" } format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity } end end end # delete /shoes/1 # delete /shoes/1.xml def destroy @shoe = shoe.find(params[:id]) @shoe.destroy respond_to |format| format.html { redirect_to "/store" } format.xml { head :ok } end end end
shoe model
class shoe < activerecord::base belongs_to :footwear has_many :socks, :dependent => :destroy end
the above given code protected against sql injection. injection possible in ror, happens when variables directly used in find sql command while building query.
for ex :
sq = "select * users id = {params[:id]}" res = user.find_by_sql(sql)
in above mentioned case sql injection can done sending appropriate statements in params[:id]. same above code can written follows prevent injection.
sq = "select * users id = ?" res = user.find_by_sql([sql,params[:id]])
the above written code safe sql injection.
Comments
Post a Comment