Showing posts tagged #back-end

Return Home

The Ruby on Rails framework provides a pretty good built-in filter for SQL injection if you use ActiveRecord methods such as find or find_by.
But that does not mean you can carelessly throw parameters to an ActiveRecord method as the methods that take an SQL fragment are still vulnerable to SQLi by default.

For example, I came across these lines in a production environment:

def some_controller_method
  MyModel.all.order("#{sort_column} #{sort_direction}")
end

private

def sort_column
  params[:sort] ? params[:sort] : 'created_at'
end

As you can see the sort parameter is being interpolated

Read More