Home arrow Ruby-on-Rails arrow Page 4 - Protecting Your Rails Ecommerce Application
RUBY-ON-RAILS

Protecting Your Rails Ecommerce Application


In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
June 24, 2010
TABLE OF CONTENTS:
  1. · Protecting Your Rails Ecommerce Application
  2. · Protecting Your Application
  3. · URL and Form Manipulation
  4. · SQL Injection
  5. · Cross-Site Request Forgery

print this article
SEARCH DEVARTICLES

Protecting Your Rails Ecommerce Application - SQL Injection
(Page 4 of 5 )

One of the most common security holes in web applications is that they pass user input directly to the database without quoting. Thus, a malicious user can fairly easily run all the SQL he wants to on the server. An example of this would be a search form submission that is handled by the following code:

@users = User.find(:conditions => "name = '#{params[:q]'")

Now letís say Dirty Harry puts the following string into the search form:

"monkey'; delete from users; --"

The resulting SQL query will be as follows:

SELECT * from users where name = 'monkey'; delete from users; --'

This is a perfectly valid SQL query and will effectively wipe out the wholeuserstable. Thus, you should never, ever, pass anything unquoted to the:conditionsparameter of ActiveRecord finders. Instead, use the bind variable syntax:

@users = User.find(:conditions => ["name = ?", params[:q]])

You can pass in as many question mark/variable pairs you need. They will be parsed and quoted in the order they are specified.

Another option in simple cases is to use the magic finders, where the parameter value is automatically quoted, too:

@users = User.find_by_name(params[:q])


blog comments powered by Disqus
RUBY-ON-RAILS ARTICLES

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2018 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials