NetManiac

Create from params and secure searching

by

Witold Rugowski
in ,

I ran on issue.

I have users created with User.create(params[:form]) and this is secure, in terms of SQL injection. And how I should find user by email using find with :conditions?

Create method does not escape @ sign, but :conditions => ["email = ?", params[:email]]) does escape, so user@domain (inserted to DB by create method) is something different than user%40domain (queried by find with :conditions).

I wonder how properly create :conditions statement. Of course User.find_by_email is secure (escapes ‘) and finds users by email since it does not escape @, but how to create more complicated queries with :conditions and be SQL injection safe?

I’m going to sleep, maybe tomorrow I find out right solution.

Comments

2 responses to “Create from params and secure searching”

  1. Radarek Avatar
    Radarek

    Which datatabase do you use? I use mysql and there is no escaping of \’@\’ character.

  2. NetManiac Avatar
    NetManiac

    I use MySQL too and You are right.

    My Rails Rumble participation resulted in no updating blog :)

    It was late night when I wrote this entry and did not found a reason. Somewhere on validating email format (if it has proper format) I did CGI::escape on this string. And thus @ become %40….

    CGI::escape ‘test@example.com’
    => “test%40example.com”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.