Category: Security

  • Are ActiveRecord validations worth anything?

    ActiveRecord, which is core component of Rails framework (at least before Rails 3.0 become reality) provides a lot features which developers do love. Validations are one of those features. They are methods which provide easy way to check if model is valid and protect consistency our data in database. Sounds good, but this is bullshit.…

  • Understanding what characters are escaped by AR

    Working on Facebook application for my customer I’ve been reminded about some basic facts of strings escaping by ActiveRecord. I found a code which could be bug cause in some circumstances – when using find with :conditions => [ “some_field = ?”, attr]. This pattern makes attr string passed to database engine safe in context…

  • Create from params and secure searching

    I ran on issue. I have users created with User.create(params[:form]) and this is secure, in terms of SQL injection. And how I should find user by email using find with :conditions? Create method does not escape @ sign, but :conditions => [“email = ?”, params[:email]]) does escape, so user@domain (inserted to DB by create method)…

  • DRb and security

    FriendsFeedMe application is build around RSS feeds and relations between people. As result we need to process a lot of OPML files. My first approach to this task, was build web frontend (Rails powered application) and some library to process data uploaded via frontend, and display results via web. Processing was done in fixed intervals…

  • I was tempted

    I was tempted to click, first time from long time. Click to ad. Flash ad. Well, it was ad on some polish portal. I suppose it is ad from P4, new polish GSM operator. I suppose because when I was redirected to http://www.nadchodzi4.com/, I’ve got this nice page: Warning: mysql_connect() [function.mysql-connect]: Can’t connect to MySQL…