NetManiac

Witold Rugowski on web20 wave with Ruby on Rails

Understanding what characters are escaped by AR

Posted on November 9, 2007 - Filed Under RubyOnRails, Security

If you're new here, you may want to subscribe to my RSS feed. You can also get updates by email Thanks for visiting!

Working on Facebook application for my customer I’ve been reminded about some basic facts of strings escaping by ActiveRecord. I found a code which could be bug cause in some circumstances - when using find with :conditions => [ "some_field = ?", attr].

This pattern makes attr string passed to database engine safe in context of SQL injection, and is required when dealing with any untrusted data. But You have to remember about % sign, it could be dangerous.

In my customer application there is feature of searching through user database, but it should show only exact matches to last name. There was check to force query to have at least 3 chars, but when You provided % three times, application happily dumped list of all users.

So remember about % sign when results should not return whole dataset.

Popularity: 5% [?]

Hits for this post: 1246

Similar Posts

• New search tool on NetManiac
• Email verification - regexp
• Testing Rails application with ActsAsAuthenticated plugin
• MySQL collate setting in Rails application
• Run-N-Share is still alive!

Comments

• Search this site
  
• 

• I do blog in polish, too!

• NetManiac on Twitter

• Most popular:

  • Adding Rails application to /usr/local/etc/rc.d/ (46494)
  • Changing markers icons with Google Maps API (31776)
  • Changing markers icons in Google Maps application (22247)
  • Rails, threads and Facebook (17434)
  • Automatic login into Rails app (12457)
  • Sorting hash by values (10770)
  • Google Maps API - setCenter is crucial (8961)
  • Rake and arguments for tasks (7806)
  • AJAX and MUD - is this possible? (7617)
  • OpenID: Simple Registration and 37signals (7468)

• 

• Recently Written

  • Thumbnails are missing when uploading new image
  • Ruby for Startups
  • Email verification - regexp
  • Extracting fixtures
  • Logger - simple, yet powerful Rails debugging tool
  • Testing binary downloads with Webrat
  • Are ActiveRecord validations worth anything?
  • Paperclip, passenger and “not recognized by the ‘identify’ command”
  • Design patterns or SOLID design
  • Associations and to_json on collections of objects

• Categories

  • Facebook
  • howto
  • Links
  • MUD
  • Other
  • Personal
  • run-n-share
  • Tech
    • AJAX
    • FreeBSD
    • Google Maps
    • JavaScript
    • Ruby
      • Tk
    • RubyOnRails
    • Security
    • wordpress
  • tips
  • Uncategorized
  • web

• Archives

  • ►2006 (157)
    • ►April (14)
      • How I did not get job at Microsoft?
      • New engine
      • Wireless telephone
      • Technorati
      • To be hired by MS, you have to stand out
      • Chrysler and domain ridiculous fight, or how to create PR disaster
      • You want to read it, because You want to be successful
      • ESR credited by MS
      • FreeBSD ports collection and licenses
      • Ruby On Rails and "sprawa polska"
      • Compact Ruby code
      • Ruby code - update
      • D-Link and PHK have settled
      • Railthello
    • ►May (24)
      • How to debug Rails app?
      • Another Commodore-64 emulator
      • Beginners life with Ruby and Rails
      • How to recover after Perl upgrade on FreeBSD
      • Secure internet phone calls - finally
      • How to survive Rails upgrade
      • Continuing with Rails version locking
      • Upgrading Rails and locking - grande finale?
      • Well thought design
      • Giving up coffee
      • Worst management experiences
      • Blog tools
      • Migrating rails - what it is about?
      • Blue Frog - war with spam is not over?
      • Ruby on Rails pocket reference
      • Google - again
      • Another useful FF extension
      • About setting goals
      • AJAX and MUD - is this possible?
      • No more google serach
      • Column names restrictions
      • DTrace - rails debugging reconsidered?
      • Dont use sessions table in rails
      • Not only generate but also destroy
    • ►June (11)
      • Bundled Rails and DB2
      • Coffee no more?
      • Brekpointer
      • GUI for breakpoint library in Ruby?
      • Nice to have plans
      • Rails and testing - where to start?
      • DB2 and Rails
      • Failing plugins discover
      • Monitoring FreeBSDs ports
      • Slow updates
      • Real Virtual Desktop
    • ►July (11)
      • Back again
      • It is hard to start
      • Speed up
      • Output to browser in .rhtml templates
      • 37signals and Jeff Bezos
      • Jastarnia's beaches
      • Another changes
      • HTTP does not like long-lasting tasks
      • MUD and virtualization
      • Rails tips collection for almost every developer
      • Time to go dynamic
    • ►August (21)
      • Blog should be easy to read, right?
      • Subversion and Rails HOWTO
      • Time tracking - online and offline
      • $DEBUG variable in Ruby
      • Yet another rake and subversion task
      • readable? vs. readable_real?
      • Using Ruby gems
      • Rails and security
      • TIOBE Programming Index
      • Google - video vs. usenet
      • Removing parts of form saved information in Firefox
      • Wordpress blogtxt theme patch
      • Catching general exceptions in Ruby
      • FreeBSD port monitoring revised
      • Adding Rails application to /usr/local/etc/rc.d/
      • Give a try to Flock
      • You want to start new company?!?
      • ISS - no more
      • Apple does not make RIM's errors
      • Starting Rails application on FreeBSD - script
      • Rails application creation - script
    • ►September (11)
      • Programming languages or holy war
      • Debugging HTTP
      • How to start debug Ruby programs?
      • First save, then use :id
      • Saving objects and :id revisited
      • Testing Rails application with ActsAsAuthenticated plugin
      • Got some change?
      • Consultant
      • JOE and Rails or how to color RHTML
      • Generating data for AJAX req in Rails on the fly
      • Data for AJAX req in Rails on the fly - solution
    • ►October (24)
      • Update to JOE's syntax file for RHTML
      • Google Maps scale - cheat sheet
      • Playing with Rails in sandbox
      • Synchronization between objects in JavaScript
      • Moving ports tree between machines
      • Google Maps events - list
      • JOE and failing rake stats
      • JS objects synchronisation - true story
      • AJAX.MUD
      • Memory usage for simple FreeBSD server
      • Ruby is nice language, but...
      • Default values for function args in JS
      • Mixing h() helper and plain output in rhtml
      • Calculating distance with Google Maps API
      • 37signals and "polski akcent"
      • Automatic login into Rails app
      • Cheat sheets for Rails and not only
      • Google Maps API - setCenter is crucial
      • IE JavaScript & DOM debugging
      • JavaScript - no automatic conversion to number
      • Does Rails reload all in development mode?
      • Google Mail and counter of doom
      • Technorati have put my blog on hold
      • Time for changes
    • ►November (21)
      • Lies, damn lies and...
      • Technorati - no more on hold
      • RHTML syntax file for JOE - update
      • Virtual Ruby - finally?
      • form_tag and HTML options
      • Railsbook?
      • Rsync for backup
      • GMarkerManager or Google Map with many icons
      • Debugging AJAX in IE
      • Rake subversion task update
      • Cookies and port in host's location
      • AJAX, IE and Debugbar
      • Writing - best way to sort own knowledge
      • RNS is coming
      • Finally - RJS templates a rebours
      • Run-n-Share the beginning
      • How to distribute Rails application
      • Things are moving on
      • Rails and lost MySQL connection
      • Changing markers icons in Google Maps application
      • New categories
    • ►December (20)
      • Iterating getMapTypes()
      • Run-N-Share update
      • I was tempted
      • New search tool on NetManiac
      • First day in new job
      • Calories, calories... How to burn some?
      • Testing desing in IEs
      • Calories calculation - fix
      • Yahoo/Google Maps plugin for Rails
      • Pagination, AJAX and GROUP BY
      • foobar not loaded yet - in Rails console
      • Rails meeting
      • Javscript
      • Changing routes
      • Firefox 2.0 and non standard ports
      • RNS - update
      • FireBug rocks
      • Do You need to learn type faster?
      • JavaScript templates - Minus Mor plugin
      • Advent links
  • ►2007 (80)
    • ►January (12)
      • RNS - edit routes
      • Another dumb RoR restriction
      • Migrations headache
      • Helpers available both in controller and templates
      • Route tagging
      • Acts As Taggable gem and MySQL duplicate key
      • Will it speed up?
      • Wallpapers
      • Inside biggest passenger plane - A380
      • H1 - finally
      • RSS, Rails and joy of coding
      • MySQL - fields table is not good idea
    • ►February (9)
      • GLog - another reason to use Google Maps API
      • How to create shapes for Google Maps?
      • Web2.0 versus old-web
      • Free geographical data
      • New plugin required
      • NTFS access under Linux/FreeBSD
      • Most annoying Rails/Ruby issue
      • Dont copy code
      • Ruby on Rails and H1 sponsorship
    • ►March (12)
      • Time is crucial
      • 2.months.ago
      • Changing DB engine - Rails way
      • Hurrahhh! breakpoints reactivated
      • Me, Windows and Ruby
      • Maintenance pains
      • Controllers names in Rails routes
      • Apollo and Rails
      • Typo:my personal best
      • Strange error in IE when using GPolyline
      • IE errors with GPolyline - one more word
      • GM API shape getter plus bonus
    • ►April (6)
      • Google Maps and IPhone-like experience
      • Toggling GMarker on and off
      • MUD, AJAX and real world
      • RuPy 2007 or why Rails still amazes me
      • Google Maps API setImage or no more events redefinition
      • Including gems with new rubygems
    • ►May (8)
      • RNS update, setImage tested
      • Why I do enable caching in development mode?
      • Support software developers
      • Migrations with advanced data operations
      • Smaller labels on Google Maps
      • Code generation and events in Google Maps API
      • Save editing Wordpress theme on live site
      • New theme
    • ►June (7)
      • Proper RHTML tags for each loops
      • Sorting hash by values
      • Facebook API - developer impressions
      • Why I do hate IE - or just MS Script Debugger?
      • Empty nil
      • REXML and missing iconv
      • FriendsFeedMe!
    • ►July (5)
      • RNS now comes with labels
      • Google Maps API as debugger tool
      • DRb and security
      • Stable Google Maps API
      • Find people with similar interests
    • ►August (5)
      • New RFacebook gem/plugin
      • FriendsFeedMe on new gem
      • Rumble anyone?
      • Approaching to release new FFM
      • Skinny controller, fat model and Facebook
    • ►September (7)
      • Exception notification - must have for every Rails application
      • Create from params and secure searching
      • Google Maps - quick tip for finding coordinates
      • Do You want to test Yourself as a startup founder?
      • Changing markers icons with Google Maps API
      • Embracing constraints
      • Embedded maps with routes
    • ►October (4)
      • Ruby Tk
      • Rails in production and code reloading
      • Sending UDP packets with fixed source port
      • Updating Rails when vendor/rails is under local svn
    • ►November (3)
      • Understanding what characters are escaped by AR
      • Interacting with Facebook without user
      • Rails, threads and Facebook
    • ►December (2)
      • Writing tests for Ruby/Tk application
      • EventMachine - how to get client's IP address
  • ►2008 (43)
    • ►January (5)
      • Rails hits mainstream - finally?
      • FreeBSD from a scratch for Rails
      • OpenID: Simple Registration and 37signals
      • I want my console!
      • Tk docs and best practices
    • ►February (2)
      • Why are You doomed being Ruby developer on Windows platform
      • Configuring Rails from database
    • ►March (3)
      • NetManiac - reloaded
      • How to write DSL (with Acts As Tree in background)
      • Don't use array as argument for AJAX call with Prototype
    • ►April (5)
      • RuPy 2008
      • Google Maps - simple tutorial
      • Run-N-Share is still alive!
      • Changing domain for Rails application
      • Progress bar for migration
    • ►May (5)
      • RNS has own blog
      • TLabel - simple, smaller labels on Google Maps
      • GMarkerManager and setImage - why it fails?
      • Copy&Paste factory pattern
      • Shuffling RubyGems versions
    • ►June (3)
      • Uploading photos to Facebook with RFacebook
      • Quick fix for strange Ruby errors
      • Shoulda You abandon Test::Unit?
    • ►July (5)
      • Rails filters
      • When timeout hit You with Amazon SQS on FreeBSD/VMWare
      • Web application that has changed my life
      • Ups and downs with samba
      • Did I just cross Rubicon?
    • ►August (2)
      • Back online
      • Put'em in the queue
    • ►September (3)
      • Session store - don't get trapped
      • MySQL collate setting in Rails application
      • What Would Seth Godin Do - WordPress plugin patch
    • ►October (5)
      • Django, anyone?
      • NetBeans, Subversion, SSH and Windows
      • Rake and arguments for tasks
      • Simple search in Rails applications
      • How did I overcome TDD fear
    • ►November (2)
      • NetBeans code template for RESTful controller
      • NetBeans, SVN, SSH and multiple repositories
    • ►December (3)
      • It's time to say goodbye!
      • Using non text values as arguments in functional tests
      • Will paginate for rescue
  • ►2009 (12)
    • ►January (2)
      • GeoKit - have You slept on trigonometry?
      • Reloading Your plugin in development mode
    • ►February (1)
      • MySQL, collations and Rails - or server, database, connection - that is not all
    • ►April (2)
      • Test benchmark - useful gem for Rails tests
      • MySQL and ERROR 1114 (HY000): The table TABLE is full
    • ►May (1)
      • Associations and to_json on collections of objects
    • ►June (1)
      • Design patterns or SOLID design
    • ►July (2)
      • Paperclip, passenger and "not recognized by the 'identify' command"
      • Are ActiveRecord validations worth anything?
    • ►September (3)
      • Testing binary downloads with Webrat
      • Logger - simple, yet powerful Rails debugging tool
      • Extracting fixtures
  • ▼2010 (3)
    • ►January (2)
      • Email verification - regexp
      • Ruby for Startups
    • ▼March (1)
      • Thumbnails are missing when uploading new image

• Blogroll

  • 30-Day Trial - 30 Days to Success
  • Friend’s SEO challenge
  • Nettigo - Web development on time and on budget
  • Presentation ZEN
  • Sklep z Arduino - Official Arduino distributor in Poland. Focus on Arduino for beginners
  • Tomek

Copyright © 2006-2009 NetManiac Powered by WordPress - Theme YGo Loner Created by - YGoSearch