这个Ruby on Rails代码容易受到SQL注入的攻击吗?
[英]Is this Ruby on Rails code vulnerable to SQL injection?
问题描述
Thanks for your help with this. 
感谢您的帮助。 I'm new to Rails (using Rails 2, which I know isn't ideal but it's necessary for the project.) I've got a form with a several inputs. 我是Rails的新手(使用Rails 2,我知道这并不理想,但是对于项目来说是必要的。)我有一个包含多个输入的表单。 I wanted to make sure that I'm protecting my users against SQL injection. 我想确保自己保护用户免受SQL注入。 I think I've handled it properly, but I just wanted to be sure, especially with the inputs. 我想我已经正确处理了,但是我只是想确定一下,尤其是在输入方面。
footwear.html.erb has the form to save to shoes and socks tables shoe.html.erb具有保存到鞋袜表的表格
<% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>
<input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>
<p>Enter a decoration for the top:
<input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="topdecorationdropdown" name="topdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<select multiple id="socks" name="socksselected[]">
<% for sock in @sock %>
<option selected value="<%= sock.name %>">
<%= sock.name %></option>
<% end %>
</select>
<input type="checkbox" name="shipit" id="shipt" checked="true">
<p>Enter a decoration for the bottom:
<input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>
<p>Or, select a decoration from the list:
<select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
<option value="">
<% for allshoe in @allshoe %>
<option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
<% end %>
</select>
</p>
<input type="submit" id="savethisorder" value="Save Order or Update Order">
<% end %>
Shoes Controller 鞋控制器
class ShoesController < ApplicationController
# GET /shoes
# GET /shoes.xml
def index
@shoe = Shoe.all
@sock = Sock.all
respond_to do |format|
format.html # index.html.erb
format.xml { render :xml => @shoes }
end
end
# GET /shoes/1
# GET /shoes/1.xml
def show
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # show.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/new
# GET /shoes/new.xml
def new
@shoe = Shoe.new
@sock = Sock.new
respond_to do |format|
format.html # new.html.erb
format.xml { render :xml => @shoe }
end
end
# GET /shoes/1/edit
def edit
@shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
respond_to do |format|
format.html # edit.html.erb
format.xml { render :xml => @activity }
end
end
# POST /shoes
# POST /shoes.xml
def create
@shoe = Shoe.new(params[:shoe])
@shoe.name = params[:shoename]
if !params[:topdecorationdropdown].blank?
@shoe.decoration = params[:topdecorationinput]
else
@shoe.decoration = params[:topdecorationdropdown]
topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip)
@shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
end
socks = params[:socksselected]
socks.each do |sock_info|
sock = Sock.new
sock.sockdescription = sock_info
sock.shoe = @shoe
sockdecoration_array = sock_info.split(',').collect(&:strip)
@sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
if @sockisaset
sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
else
sock.sparkle = nil
end
sock.save
end
if !params[:shipit].blank?
@shoe.shipit = 1
else
@shoe.shipit = 0
end
if !params[:bottomdecorationdropdown].blank?
@shoe.decoration = params[:bottomdecorationinput]
else
@shoe.decoration = params[:bottomdecorationdropdown]
bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip)
@shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle
end
end
respond_to do |format|
if @shoe.save
format.html { redirect_to "/store" }
format.xml { render :xml => @shoe, :status => :created}
else
format.html { render :action => "new" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# PUT /shoes/1
# PUT /shoes/1.xml
def update
@shoe = Shoe.find(params[:id])
respond_to do |format|
if @shoe.update_attributes(params[:shoe])
flash[:notice] = 'Shoe was successfully updated.'
format.html { redirect_to "/store" }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @shoe.errors, :status => :unprocessable_entity }
end
end
end
# DELETE /shoes/1
# DELETE /shoes/1.xml
def destroy
@shoe = Shoe.find(params[:id])
@shoe.destroy
respond_to do |format|
format.html { redirect_to "/store" }
format.xml { head :ok }
end
end
end
Shoe model 鞋模
class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
end
1 个解决方案
解决方案1
1 已采纳 2013-08-20 18:13:59
The above given code is protected against SQL Injection. 上面给出的代码可以防止SQL注入。 Injection is possible in ROR, but usually happens when the variables are directly used in a find by sql command while building the query. 在ROR中可以进行注入,但是通常在构建查询时在sql命令的find中直接使用变量时发生。
For EX : 对于EX:
sq = "Select * from users where id = {params[:id]}"
res = User.find_by_sql(sql)
In the above mentioned case sql injection can be done by sending appropriate statements in params[:id]. 在上述情况下,可以通过在params [:id]中发送适当的语句来完成sql注入。 The same above code can be written as follows to prevent injection. 可以将上述相同的代码编写如下,以防止注入。
sq = "Select * from users where id = ?"
res = User.find_by_sql([sql,params[:id]])
The above written code is safe from SQL injection. 上面编写的代码可以防止SQL注入。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.