Working on Facebook application for my customer I’ve been reminded about some basic facts of strings escaping by ActiveRecord. I found a code which could be bug cause in some circumstances – when using find
with :conditions => [ "some_field = ?", attr]
.
This pattern makes attr
string passed to database engine safe in context of SQL injection, and is required when dealing with any untrusted data. But You have to remember about % sign, it could be dangerous.
In my customer application there is feature of searching through user database, but it should show only exact matches to last name. There was check to force query to have at least 3 chars, but when You provided % three times, application happily dumped list of all users.
So remember about % sign when results should not return whole dataset.
Leave a Reply