Breakman Rails: How to avoid SQL injection

Breakman is static analysis security scanner for Ruby on Rails. It's open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.

I will share some trick to avoid Breakman SQL Injection medium settings warning.

1. Example Case "IN query": 
Wrong Format :
  id = [1,2,3,4,5]
  query = self.find(:all, :conditions =>["id in ("+id.joins(",")+")"])
Correct Format :
  id = [1,2,3,4,5]
   query = self.find(:all, :conditions =>["id in (?)", id])
  or
   query = self.where("id in (?)", id)

2. Example Case "string query": 
Wrong Format :
  query = self.where("id = '"+id+"' and place = '"+place+"' and user = '"+user+"' ")
Correct Format :
  query_conditions = []
  unless id.blank?
  query_conditions << {"id = '"+id+"'"}
  end
  unless id.blank?
  query_conditions << {"place= '"+place+"'"}
  end
  unless id.blank?
  query_conditions << {"user = '"+user+"'"}
  end
  query_where = query_conditions.joins("and")
  result = self.where(query_where)



Post a Comment

1 Comments

  1. The King Casino Company - Ventureberg
    It was born in 1934. The Company offers luxury 출장샵 hotels, If you don't have a poker room in your house, then you'll find https://septcasino.com/review/merit-casino/ a www.jtmhub.com poker room ventureberg.com/ in septcasino the

    ReplyDelete