发表新帖
发表新帖

sql injection prevention for create method in rails controller

前端 未结
关注
2 856
既然无缘
既然无缘 2021-01-18 03:39

As seen in comment_controller.rb:

def create
    @comment = Comment.new(params[:comment])
    @comment.save
end

Im assuming that this is SQ

相关标签:
2条回答
  • 情书的邮戳
    2021-01-18 04:28

    Note that your code example is safe from SQL injection as explained by Alex, but it's not safe from mass assignment exploits.

    0 讨论(0)
  • 南旧
    2021-01-18 04:36

    That code is safe from SQL injection attacks. The escaping is done by ActiveRecord, so any time you call a model's find, create, new/save, or any other method that does database interaction, you're OK. The only exception is if you use raw SQL for one of the options, for example:

    Comment.find(:all, :conditions => "user_id = #{params[:user_id]}")

    the preferred form is:

    Comment.find(:all, :conditions => {:user_id => params[:user_id]})

    which will be automatically protected against SQL injection.

    0 讨论(0)
 看不清?
提交回复
热议问题