In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Protecting Your Rails Ecommerce Application - SQL Injection (Page 4 of 5 )
One of the most common security holes in web applications is that they pass user input directly to the database without quoting. Thus, a malicious user can fairly easily run all the SQL he wants to on the server. An example of this would be a search form submission that is handled by the following code:
Now letís say Dirty Harry puts the following string into the search form:
"monkey'; delete from users; --"
The resulting SQL query will be as follows:
SELECT * from users where name = 'monkey'; delete from users; --'
This is a perfectly valid SQL query and will effectively wipe out the wholeuserstable. Thus, you should never, ever, pass anything unquoted to the:conditionsparameter of ActiveRecord finders. Instead, use the bind variable syntax: