Rails Security – SQL Injection – Sanitize User Input!
Even though rails makes every effort to help with security in your apps, you should still be proactive about it. Don’t just assume that your data will be safe no matter how you code. Here is a prime example. You have a login form and you process the request like this:
user = User.find(:first, :conditions=>["login = '#{params[:login]}'"])
You just essentially told every hacker to kill your data by doing something like “‘; delete from users;–“, or even worse a database drop. The appropriate way would be like this:
user = User.find(:first, :conditions=>['login = ?', params[:login]])
Other things you want to make sure you do is to sanitize your views as well:
<%= h @model.value %>
Assume the worse and check all your user input to make sure they can’t do anything you don’t want them to and you will have a happy APP!
Wrapping :conditions in an array sanitizes the query… take away the brackets and you bring up a good point