I'm enthusiastic and passionate about web development and design in all it's forms and love to build application with efficient and simple methods

Thursday, June 26, 2014

Breakman Rails: How to avoid SQL injection

7:50 AM Posted by Codeinterpreter No comments
Breakman is static analysis security scanner for Ruby on Rails. It's open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

I will share some trick to avoid Breakman SQL Injection medium settings warning.

1. Example Case "IN query": 
Wrong Format :
  id = [1,2,3,4,5]
  query = self.find(:all, :conditions =>["id in ("+id.joins(",")+")"])
Correct Format :
  id = [1,2,3,4,5]
   query = self.find(:all, :conditions =>["id in (?)", id])
  or
   query = self.where("id in (?)", id)

2. Example Case "string query": 
Wrong Format :
  query = self.where("id = '"+id+"' and place = '"+place+"' and user = '"+user+"' ")
Correct Format :
  query_conditions = []
  unless id.blank?
  query_conditions << {"id = '"+id+"'"}
  end
  unless id.blank?
  query_conditions << {"place= '"+place+"'"}
  end
  unless id.blank?
  query_conditions << {"user = '"+user+"'"}
  end
  query_where = query_conditions.joins("and")
  result = self.where(query_where)

0 comments:

Post a Comment