Skip to content
Browse files

Added extra words of caution for guarding against SQL-injection attacks

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@46 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
  • Loading branch information...
1 parent 6cc9615 commit 2575b3b065258162484ebbd2c809d5aa4ced56c7 @dhh dhh committed Dec 6, 2004
Showing with 7 additions and 3 deletions.
  1. +7 −3 activerecord/lib/active_record/base.rb
View
10 activerecord/lib/active_record/base.rb
@@ -71,10 +71,14 @@ class StatementInvalid < ActiveRecordError #:nodoc:
# end
# end
#
- # The +authenticate_unsafely+ method inserts the parameters directly into the query and is thus susceptible to SQL-injection
- # attacks if the +user_name+ and +password+ parameters come directly from a HTTP request. The +authenticate_safely+ method, on
- # the other hand, will sanitize the +user_name+ and +password+ before inserting them in the query, which will ensure that
+ # The <tt>authenticate_unsafely</tt> method inserts the parameters directly into the query and is thus susceptible to SQL-injection
+ # attacks if the <tt>user_name</tt> and +password+ parameters come directly from a HTTP request. The <tt>authenticate_safely</tt> method,
+ # on the other hand, will sanitize the <tt>user_name</tt> and +password+ before inserting them in the query, which will ensure that
# an attacker can't escape the query and fake the login (or worse).
+ #
+ # Beware, that the approach used in <tt>authenticate_unsafely</tt> is basically just a wrapped call to sprintf. This means that you
+ # still have to quote when using %s or use %d instead. So find_first([ "firm_id = %s", firm_id ]) is _not_ safe while both
+ # find_first([ "firm_id = '%s'", firm_id ]) and find_first([ "firm_id = %d", firm_id ]) are.
#
# == Overwriting default accessors
#

0 comments on commit 2575b3b

Please sign in to comment.
Something went wrong with that request. Please try again.