mysql - Is this Ruby on Rails code vulnerable to SQL injection? -


thanks this. i'm new rails (using rails 2, know isn't ideal it's necessary project.) i've got form several inputs. wanted make sure i'm protecting users against sql injection. think i've handled properly, wanted sure, inputs.

footwear.html.erb has form save shoes , socks tables

    <% form_for @shoe, :html=>{:id=>'createanorder'} |f| %>      <input id="shoe_name" name="shoename" size="30" type="text" value="new shoe"></p>      <p>enter decoration top:     <input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>      <p>or, select decoration list:     <select id="topdecorationdropdown" name="topdecorationdropdown">     <option value="">     <% allshoe in @allshoe %>     <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>     <% end %>     </select>     </p>      <select multiple id="socks" name="socksselected[]">     <% sock in @sock %>     <option selected value="<%= sock.name %>">     <%= sock.name %></option>     <% end %>     </select>        <input type="checkbox" name="shipit" id="shipt" checked="true">      <p>enter decoration bottom:     <input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>      <p>or, select decoration list:     <select id="bottomdecorationdropdown" name="bottomdecorationdropdown">     <option value="">     <% allshoe in @allshoe %>     <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>     <% end %>     </select>     </p>     <input type="submit" id="savethisorder" value="save order or update order">          <% end %> 

shoes controller

    class shoescontroller < applicationcontroller     # /shoes     # /shoes.xml     def index     @shoe = shoe.all     @sock = sock.all     respond_to |format|     format.html # index.html.erb   format.xml  { render :xml => @shoes }     end     end      # /shoes/1     # /shoes/1.xml      def show     @shoe = shoe.find(params[:id])     @sock = sock.find(params[:id])     respond_to |format|     format.html # show.html.erb     format.xml  { render :xml => @shoe }     end     end      # /shoes/new     # /shoes/new.xml     def new     @shoe = shoe.new     @sock = sock.new     respond_to |format|     format.html # new.html.erb     format.xml  { render :xml => @shoe }     end     end      # /shoes/1/edit     def edit     @shoe = shoe.find(params[:id]) @sock = sock.find(params[:id])     respond_to |format|       format.html # edit.html.erb       format.xml  { render :xml => @activity }     end     end      # post /shoes     # post /shoes.xml      def create      @shoe = shoe.new(params[:shoe])     @shoe.name = params[:shoename]      if !params[:topdecorationdropdown].blank?     @shoe.decoration = params[:topdecorationinput]     else     @shoe.decoration = params[:topdecorationdropdown]     topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip)      @shoe.sparkletopdecorationdropdown = allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle     end                                           socks = params[:socksselected]     socks.each |sock_info|     sock = sock.new     sock.sockdescription = sock_info     sock.shoe = @shoe      sockdecoration_array = sock_info.split(',').collect(&:strip)     @sockisaset = allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})         if @sockisaset         sock.sparkle = allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle         else         sock.sparkle = nil         end      sock.save     end       if !params[:shipit].blank?     @shoe.shipit = 1     else     @shoe.shipit = 0     end      if !params[:bottomdecorationdropdown].blank?     @shoe.decoration = params[:bottomdecorationinput]     else     @shoe.decoration = params[:bottomdecorationdropdown]     bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip)      @shoe.sparklebottomdecorationdropdown = allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle      end          end   respond_to |format|   if @shoe.save     format.html { redirect_to "/store" }     format.xml  { render :xml => @shoe, :status => :created}   else     format.html { render :action => "new" }     format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }   end end     end      # put /shoes/1     # put /shoes/1.xml      def update     @shoe = shoe.find(params[:id])     respond_to |format|     if @shoe.update_attributes(params[:shoe])     flash[:notice] = 'shoe updated.'     format.html { redirect_to "/store" }     format.xml  { head :ok }     else     format.html { render :action => "edit" }     format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }     end     end     end      # delete /shoes/1     # delete /shoes/1.xml      def destroy     @shoe = shoe.find(params[:id])     @shoe.destroy     respond_to |format|     format.html { redirect_to "/store" }     format.xml  { head :ok }     end     end     end 

shoe model

    class shoe < activerecord::base belongs_to :footwear has_many :socks, :dependent => :destroy     end 

the above given code protected against sql injection. injection possible in ror, happens when variables directly used in find sql command while building query.

for ex :

sq = "select * users id = {params[:id]}" res = user.find_by_sql(sql) 

in above mentioned case sql injection can done sending appropriate statements in params[:id]. same above code can written follows prevent injection.

sq = "select * users id = ?" res = user.find_by_sql([sql,params[:id]]) 

the above written code safe sql injection.


Comments

Popular posts from this blog

Detect support for Shoutcast ICY MP3 without navigator.userAgent in Firefox? -

web - SVG not rendering properly in Firefox -

java - JavaFX 2 slider labelFormatter not being used -