ruby on rails sql injection on LIKE '%#{argument}% vulnerable?
Question
I have a question about ruby on rails sql injection vulnerability. let's say i have a method like this:
def self.search(args)
where_clause = `items`.`name` LIKE '%#{args}%'
results = Item::where(where_clause)
return results
end
where args is a value passed in from the search box. is this vulnerable to attack? My initial thought was that this would be vulnerable to attack, however, after trying a few queries, I wasn't able to.
Is there something special about LIKE '%%' that makes it impervious to attack?
Thanks!
1 answers
solution1
0 2015-01-27 23:44:09
为了安全起见,我通常这样做:
Item.where("name LIKE ?", "%#{args}%")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Is this Ruby on Rails code vulnerable to SQL injection?
Is my code vulnerable to SQL Injection with this LIKE clause?
Is this sql query vulnerable to injection?
Vulnerable to SQL Injection?
SQL injection vulnerable?
Is this code vulnerable to sql injection?
Is this function vulnerable to SQL injection?
Is my code vulnerable to SQL injection?
Is a given sql statement vulnerable to a sql injection attack?
GET parameters vulnerable to SQL Injection - PHP
Related Tags