Breakman is static analysis security scanner for Ruby on Rails. It's open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development.
I will share some trick to avoid Breakman SQL Injection medium settings warning.
1. Example Case "IN query":
Wrong Format :
id = [1,2,3,4,5]
query = self.find(:all, :conditions =>["id in ("+id.joins(",")+")"])
Correct Format :
id = [1,2,3,4,5]
query = self.find(:all, :conditions =>["id in (?)", id])
or
query = self.where("id in (?)", id)
2. Example Case "string query":
Wrong Format :
query = self.where("id = '"+id+"' and place = '"+place+"' and user = '"+user+"' ")
Correct Format :
query_conditions = []
unless id.blank?
query_conditions << {"id = '"+id+"'"}
end
unless id.blank?
query_conditions << {"place= '"+place+"'"}
end
unless id.blank?
query_conditions << {"user = '"+user+"'"}
end
query_where = query_conditions.joins("and")
result = self.where(query_where)
Breakman Rails: How to avoid SQL injection
7:50 AM
Codeinterpreter
The King Casino Company - Ventureberg
ReplyDeleteIt was born in 1934. The Company offers luxury 출장샵 hotels, If you don't have a poker room in your house, then you'll find https://septcasino.com/review/merit-casino/ a www.jtmhub.com poker room ventureberg.com/ in septcasino the