sql injection prevention for create method in rails controller

As seen in comment_controller.rb:

def create
    @comment = Comment.new(params[:comment])
    @comment.save
end

Im assuming that this is SQL injection-unsafe. But what is the correct way of doing it?.. All the examples on the net deal with finds.

That code is safe from SQL injection attacks. The escaping is done by ActiveRecord, so any time you call a model's find, create, new/save, or any other method that does database interaction, you're OK. The only exception is if you use raw SQL for one of the options, for example:

Comment.find(:all, :conditions => "user_id = #{params[:user_id]}")

the preferred form is:

Comment.find(:all, :conditions => {:user_id => params[:user_id]})

which will be automatically protected against SQL injection.

Note that your code example is safe from SQL injection as explained by Alex, but it's not safe from mass assignment exploits.

来源：https://stackoverflow.com/questions/2144778/sql-injection-prevention-for-create-method-in-rails-controller

标签

ruby-on-rails

activerecord

sql-injection

易学教程内所有资源均来自网络或用户发布的内容，如有违反法律规定的内容欢迎反馈！
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!