NetManiac

Witold Rugowski on web20 wave with Ruby on Rails

Create from params and secure searching

Posted on September 5, 2007 - Filed Under RubyOnRails, Security

I ran on issue.

I have users created with User.create(params[:form]) and this is secure, in terms of SQL injection. And how I should find user by email using find with :conditions?

Create method does not escape @ sign, but :conditions => ["email = ?", params[:email]]) does escape, so user@domain (inserted to DB by create method) is something different than user%40domain (queried by find with :conditions).

I wonder how properly create :conditions statement. Of course User.find_by_email is secure (escapes ‘) and finds users by email since it does not escape @, but how to create more complicated queries with :conditions and be SQL injection safe?

I’m going to sleep, maybe tomorrow I find out right solution.

Popularity: 3% [?]

Hits for this post: 2433

Similar Posts

• Cookies and port in host’s location
• Understanding what characters are escaped by AR
• Email verification – regexp
• Simple search in Rails applications
• JavaScript templates – Minus Mor plugin

Comments

• Arduino!

  Arduino Uno
• Search this site
  
• 

• I do blog in polish, too!

• NetManiac on Twitter

• Most popular:

  • Adding Rails application to /usr/local/etc/rc.d/ (117124)
  • Changing markers icons with Google Maps API (71434)
  • Automatic login into Rails app (62507)
  • Rails, threads and Facebook (60771)
  • Changing markers icons in Google Maps application (37678)
  • OpenID: Simple Registration and 37signals (26265)
  • Sorting hash by values (24728)
  • Rake and arguments for tasks (21422)
  • ArgumentError: marshal data too short when loading session data (21016)
  • Paperclip, passenger and "not recognized by the 'identify' command" (17746)

• 

• Recently Written

  • Passing current user id to Rails models
  • wsdl2ruby and failing SSL certificate validation
  • ActiveMerchant: dumping traffic between Your app and payment gateway
  • ArgumentError: marshal data too short when loading session data
  • CHM should be in…
  • Thumbnails are missing when uploading new image
  • Ruby for Startups
  • Email verification – regexp
  • Extracting fixtures
  • Logger – simple, yet powerful Rails debugging tool

• Categories

  • Facebook
  • howto
  • Links
  • MUD
  • Other
  • Personal
  • run-n-share
  • Tech
    • AJAX
    • FreeBSD
    • Google Maps
    • JavaScript
    • Ruby
      • Tk
    • RubyOnRails
    • Security
    • wordpress
  • tips
  • Uncategorized
  • web

• Archives

  • ►2006 (157)
    • ►April (14)
      • How I did not get job at Microsoft?
      • New engine
      • Wireless telephone
      • Technorati
      • To be hired by MS, you have to stand out
      • Chrysler and domain ridiculous fight, or how to create PR disaster
      • You want to read it, because You want to be successful
      • ESR credited by MS
      • FreeBSD ports collection and licenses
      • Ruby On Rails and "sprawa polska"
      • Compact Ruby code
      • Ruby code - update
      • D-Link and PHK have settled
      • Railthello
    • ►May (24)
      • How to debug Rails app?
      • Another Commodore-64 emulator
      • Beginners life with Ruby and Rails
      • How to recover after Perl upgrade on FreeBSD
      • Secure internet phone calls - finally
      • How to survive Rails upgrade
      • Continuing with Rails version locking
      • Upgrading Rails and locking - grande finale?
      • Well thought design
      • Giving up coffee
      • Worst management experiences
      • Blog tools
      • Migrating rails - what it is about?
      • Blue Frog - war with spam is not over?
      • Ruby on Rails pocket reference
      • Google - again
      • Another useful FF extension
      • About setting goals
      • AJAX and MUD - is this possible?
      • No more google serach
      • Column names restrictions
      • DTrace - rails debugging reconsidered?
      • Dont use sessions table in rails
      • Not only generate but also destroy
    • ►June (11)
      • Bundled Rails and DB2
      • Coffee no more?
      • Brekpointer
      • GUI for breakpoint library in Ruby?
      • Nice to have plans
      • Rails and testing - where to start?
      • DB2 and Rails
      • Failing plugins discover
      • Monitoring FreeBSDs ports
      • Slow updates
      • Real Virtual Desktop
    • ►July (11)
      • Back again
      • It is hard to start
      • Speed up
      • Output to browser in .rhtml templates
      • 37signals and Jeff Bezos
      • Jastarnia's beaches
      • Another changes
      • HTTP does not like long-lasting tasks
      • MUD and virtualization
      • Rails tips collection for almost every developer
      • Time to go dynamic
    • ►August (21)
      • Blog should be easy to read, right?
      • Subversion and Rails HOWTO
      • Time tracking - online and offline
      • $DEBUG variable in Ruby
      • Yet another rake and subversion task
      • readable? vs. readable_real?
      • Using Ruby gems
      • Rails and security
      • TIOBE Programming Index
      • Google - video vs. usenet
      • Removing parts of form saved information in Firefox
      • Wordpress blogtxt theme patch
      • Catching general exceptions in Ruby
      • FreeBSD port monitoring revised
      • Adding Rails application to /usr/local/etc/rc.d/
      • Give a try to Flock
      • You want to start new company?!?
      • ISS - no more
      • Apple does not make RIM's errors
      • Starting Rails application on FreeBSD - script
      • Rails application creation - script
    • ►September (11)
      • Programming languages or holy war
      • Debugging HTTP
      • How to start debug Ruby programs?
      • First save, then use :id
      • Saving objects and :id revisited
      • Testing Rails application with ActsAsAuthenticated plugin
      • Got some change?
      • Consultant
      • JOE and Rails or how to color RHTML
      • Generating data for AJAX req in Rails on the fly
      • Data for AJAX req in Rails on the fly - solution
    • ►October (24)
      • Update to JOE's syntax file for RHTML
      • Google Maps scale - cheat sheet
      • Playing with Rails in sandbox
      • Synchronization between objects in JavaScript
      • Moving ports tree between machines
      • Google Maps events - list
      • JOE and failing rake stats
      • JS objects synchronisation - true story
      • AJAX.MUD
      • Memory usage for simple FreeBSD server
      • Ruby is nice language, but...
      • Default values for function args in JS
      • Mixing h() helper and plain output in rhtml
      • Calculating distance with Google Maps API
      • 37signals and "polski akcent"
      • Automatic login into Rails app
      • Cheat sheets for Rails and not only
      • Google Maps API - setCenter is crucial
      • IE JavaScript & DOM debugging
      • JavaScript - no automatic conversion to number
      • Does Rails reload all in development mode?
      • Google Mail and counter of doom
      • Technorati have put my blog on hold
      • Time for changes
    • ►November (21)
      • Lies, damn lies and...
      • Technorati - no more on hold
      • RHTML syntax file for JOE - update
      • Virtual Ruby - finally?
      • form_tag and HTML options
      • Railsbook?
      • Rsync for backup
      • GMarkerManager or Google Map with many icons
      • Debugging AJAX in IE
      • Rake subversion task update
      • Cookies and port in host's location
      • AJAX, IE and Debugbar
      • Writing - best way to sort own knowledge
      • RNS is coming
      • Finally - RJS templates a rebours
      • Run-n-Share the beginning
      • How to distribute Rails application
      • Things are moving on
      • Rails and lost MySQL connection
      • Changing markers icons in Google Maps application
      • New categories
    • ►December (20)
      • Iterating getMapTypes()
      • Run-N-Share update
      • I was tempted
      • New search tool on NetManiac
      • First day in new job
      • Calories, calories... How to burn some?
      • Testing desing in IEs
      • Calories calculation - fix
      • Yahoo/Google Maps plugin for Rails
      • Pagination, AJAX and GROUP BY
      • foobar not loaded yet - in Rails console
      • Rails meeting
      • Javscript
      • Changing routes
      • Firefox 2.0 and non standard ports
      • RNS - update
      • FireBug rocks
      • Do You need to learn type faster?
      • JavaScript templates - Minus Mor plugin
      • Advent links
  • ►2007 (80)
    • ►January (12)
      • RNS - edit routes
      • Another dumb RoR restriction
      • Migrations headache
      • Helpers available both in controller and templates
      • Route tagging
      • Acts As Taggable gem and MySQL duplicate key
      • Will it speed up?
      • Wallpapers
      • Inside biggest passenger plane - A380
      • H1 - finally
      • RSS, Rails and joy of coding
      • MySQL - fields table is not good idea
    • ►February (9)
      • GLog - another reason to use Google Maps API
      • How to create shapes for Google Maps?
      • Web2.0 versus old-web
      • Free geographical data
      • New plugin required
      • NTFS access under Linux/FreeBSD
      • Most annoying Rails/Ruby issue
      • Dont copy code
      • Ruby on Rails and H1 sponsorship
    • ►March (12)
      • Time is crucial
      • 2.months.ago
      • Changing DB engine - Rails way
      • Hurrahhh! breakpoints reactivated
      • Me, Windows and Ruby
      • Maintenance pains
      • Controllers names in Rails routes
      • Apollo and Rails
      • Typo:my personal best
      • Strange error in IE when using GPolyline
      • IE errors with GPolyline - one more word
      • GM API shape getter plus bonus
    • ►April (6)
      • Google Maps and IPhone-like experience
      • Toggling GMarker on and off
      • MUD, AJAX and real world
      • RuPy 2007 or why Rails still amazes me
      • Google Maps API setImage or no more events redefinition
      • Including gems with new rubygems
    • ►May (8)
      • RNS update, setImage tested
      • Why I do enable caching in development mode?
      • Support software developers
      • Migrations with advanced data operations
      • Smaller labels on Google Maps
      • Code generation and events in Google Maps API
      • Save editing Wordpress theme on live site
      • New theme
    • ►June (7)
      • Proper RHTML tags for each loops
      • Sorting hash by values
      • Facebook API - developer impressions
      • Why I do hate IE - or just MS Script Debugger?
      • Empty nil
      • REXML and missing iconv
      • FriendsFeedMe!
    • ►July (5)
      • RNS now comes with labels
      • Google Maps API as debugger tool
      • DRb and security
      • Stable Google Maps API
      • Find people with similar interests
    • ►August (5)
      • New RFacebook gem/plugin
      • FriendsFeedMe on new gem
      • Rumble anyone?
      • Approaching to release new FFM
      • Skinny controller, fat model and Facebook
    • ►September (7)
      • Exception notification - must have for every Rails application
      • Create from params and secure searching
      • Google Maps - quick tip for finding coordinates
      • Do You want to test Yourself as a startup founder?
      • Changing markers icons with Google Maps API
      • Embracing constraints
      • Embedded maps with routes
    • ►October (4)
      • Ruby Tk
      • Rails in production and code reloading
      • Sending UDP packets with fixed source port
      • Updating Rails when vendor/rails is under local svn
    • ►November (3)
      • Understanding what characters are escaped by AR
      • Interacting with Facebook without user
      • Rails, threads and Facebook
    • ►December (2)
      • Writing tests for Ruby/Tk application
      • EventMachine - how to get client's IP address
  • ►2008 (43)
    • ►January (5)
      • Rails hits mainstream - finally?
      • FreeBSD from a scratch for Rails
      • OpenID: Simple Registration and 37signals
      • I want my console!
      • Tk docs and best practices
    • ►February (2)
      • Why are You doomed being Ruby developer on Windows platform
      • Configuring Rails from database
    • ►March (3)
      • NetManiac - reloaded
      • How to write DSL (with Acts As Tree in background)
      • Don't use array as argument for AJAX call with Prototype
    • ►April (5)
      • RuPy 2008
      • Google Maps - simple tutorial
      • Run-N-Share is still alive!
      • Changing domain for Rails application
      • Progress bar for migration
    • ►May (5)
      • RNS has own blog
      • TLabel - simple, smaller labels on Google Maps
      • GMarkerManager and setImage - why it fails?
      • Copy&Paste factory pattern
      • Shuffling RubyGems versions
    • ►June (3)
      • Uploading photos to Facebook with RFacebook
      • Quick fix for strange Ruby errors
      • Shoulda You abandon Test::Unit?
    • ►July (5)
      • Rails filters
      • When timeout hit You with Amazon SQS on FreeBSD/VMWare
      • Web application that has changed my life
      • Ups and downs with samba
      • Did I just cross Rubicon?
    • ►August (2)
      • Back online
      • Put'em in the queue
    • ►September (3)
      • Session store - don't get trapped
      • MySQL collate setting in Rails application
      • What Would Seth Godin Do - WordPress plugin patch
    • ►October (5)
      • Django, anyone?
      • NetBeans, Subversion, SSH and Windows
      • Rake and arguments for tasks
      • Simple search in Rails applications
      • How did I overcome TDD fear
    • ►November (2)
      • NetBeans code template for RESTful controller
      • NetBeans, SVN, SSH and multiple repositories
    • ►December (3)
      • It's time to say goodbye!
      • Using non text values as arguments in functional tests
      • Will paginate for rescue
  • ►2009 (12)
    • ►January (2)
      • GeoKit - have You slept on trigonometry?
      • Reloading Your plugin in development mode
    • ►February (1)
      • MySQL, collations and Rails - or server, database, connection - that is not all
    • ►April (2)
      • Test benchmark - useful gem for Rails tests
      • MySQL and ERROR 1114 (HY000): The table TABLE is full
    • ►May (1)
      • Associations and to_json on collections of objects
    • ►June (1)
      • Design patterns or SOLID design
    • ►July (2)
      • Paperclip, passenger and "not recognized by the 'identify' command"
      • Are ActiveRecord validations worth anything?
    • ►September (3)
      • Testing binary downloads with Webrat
      • Logger - simple, yet powerful Rails debugging tool
      • Extracting fixtures
  • ►2010 (6)
    • ►January (2)
      • Email verification - regexp
      • Ruby for Startups
    • ►March (1)
      • Thumbnails are missing when uploading new image
    • ►July (1)
      • CHM should be in...
    • ►August (1)
      • ArgumentError: marshal data too short when loading session data
    • ►October (1)
      • ActiveMerchant: dumping traffic between Your app and payment gateway
  • ►2011 (2)
    • ►January (1)
      • wsdl2ruby and failing SSL certificate validation
    • ►November (1)
      • Passing current user id to Rails models

• Blogroll

  • 30-Day Trial – 30 Days to Success
  • Friend’s SEO challenge
  • Nettigo - Web development on time and on budget
  • Presentation ZEN
  • Sklep z Arduino - Official Arduino distributor in Poland. Focus on Arduino for beginners
  • Tomek

Copyright © 2006-2009 NetManiac Powered by WordPress - Theme YGo Loner Created by - YGoSearch