Topic: Question about ActiveRecord and sanitizing inputs

I've been reading through the ActiveRecord::Base API, and came across this:

Conditions

Conditions can either be specified as a string, array, or hash representing the WHERE-part of an SQL statement. The array form is to be used when the condition input is tainted and requires sanitization. The string form can be used for statements that don’t involve tainted data. The hash form works much like the array form, except only equality and range is possible. Examples:

class User < ActiveRecord::Base
  def self.authenticate_unsafely(user_name, password)
    where("user_name = '#{user_name}' AND password = '#{password}'").first
  end

  def self.authenticate_safely(user_name, password)
    where("user_name = ? AND password = ?", user_name, password).first
  end

  def self.authenticate_safely_simply(user_name, password)
    where(:user_name => user_name, :password => password).first
  end
end

The authenticate_unsafely method inserts the parameters directly into the query and is thus susceptible to SQL-injection attacks if the user_name and password parameters come directly from an HTTP request. The authenticate_safely and authenticate_safely_simply both will sanitize the user_name and password before inserting them in the query, which will ensure that an attacker can’t escape the query and fake the login (or worse).

My question is about the bolded statement towards the end:

The authenticate_safely and authenticate_safely_simply both will sanitize the user_name and password before inserting them in the query

So does this mean that Rails automatically sanitizes the inputs for me, or is this just saying that the latter two formats allow the inputs to be sanitized using code that's not shown?

Thanks.

Re: Question about ActiveRecord and sanitizing inputs

You will see that there are 3 different examples of how to construct the where clause that will return the same result

The explanation is regarding the different ways to construct the where clause using parameters that a user has entered into some form on your website and applies to all SQL requests so basically it is saying NEVER pass in user input into a where or conditions or find clause THIS WAY

:user_name => user_name, :password => password

This way is fine and secure and tends to be the way I typically construct where clauses or conditions

"user_name = ? AND password = ?", user_name, password

This way is just as safe but simpler to do and read

:user_name => user_name, :password => password

I tend not to use this last way too much as it is not always a viable option (i.e. when I need to add my own non user input data that relies on something like a boolean value) and I like consistency in my code.

Whichever of the 2 recommended ways you choose is fine and down to personal preference just NEVER use the first way regardless of whether or not the data has come from a form and that way you will never get caught out by mistake.
It's just about how to get parameters safely into a where clause avoiding any sql injection attacks and applies to ANY form NOT just for authentication. e.g. a search form

What you want and what you need are too often not the same thing!
When your head is hurting from trying to solve a problem, stop standing on it. When you are the right way up you will see the problem differently and you just might find the solution.
(Quote by me 15th July 2009)

Re: Question about ActiveRecord and sanitizing inputs

Thanks for the reply.

So are you saying that Ruby or Rails sanitizes the inputs behind the scenes?

In Perl, I would run the inputs through a regex to clear out any punctuation, etc. to mitigate against a SQLi attack. What I'm trying to determine is if Ruby or Rails does this for me.

I think I'll put together a test and see what happens.

Re: Question about ActiveRecord and sanitizing inputs

Rails sanitises in different ways.
In forms for Rails version 2.x and below you would use a h clause to sanitise user input to prevent javascipt and html from being passed back to the server in Rails 3.x + this is on by default and you have to use a raw command in forms if you want to allow users to send html etc... back to the server.

this might help

http://railscasts.com/episodes/25-sql-injection
http://railscasts.com/episodes/26-hacke … assignment
http://railscasts.com/episodes/178-seven-security-tips
http://railscasts.com/episodes/26-hacke … nt-revised (I think you will need a subscription to view this one but I'm not sure).

So basically you don't need to worry about it just follow the advice and all should be good

What you want and what you need are too often not the same thing!
When your head is hurting from trying to solve a problem, stop standing on it. When you are the right way up you will see the problem differently and you just might find the solution.
(Quote by me 15th July 2009)

Re: Question about ActiveRecord and sanitizing inputs

Thanks again James. I watched the first couple of railscasts, they are excellent.

Re: Question about ActiveRecord and sanitizing inputs

Those railscasts are truly excellent, If you are new to Rails I would highly recommend you sit down with a gallon of coffee, half a dozen pizzas and a spare 24 hours and watch them all.

What you want and what you need are too often not the same thing!
When your head is hurting from trying to solve a problem, stop standing on it. When you are the right way up you will see the problem differently and you just might find the solution.
(Quote by me 15th July 2009)

Re: Question about ActiveRecord and sanitizing inputs

jamesw wrote:

sit down with a gallon of coffee, half a dozen pizzas...

it's almost like you know me... smile