rails is Model.new safe from sql injection?
Does ModelName.new protect against sql injection?
Examp开发者_JS百科le:
@user = User.new(params[:user])
@user.save
I've read the rails security docs and didn't see anything about inserts via Model.new.
Thanks!
Model.new
has nothing to do with SQL injection as it is not the method that writes to the database .
It is the Model.save
that actually writes to the database and takes care of SQL injection .
yes
it protect against sql injection and is safe as params[:user] is HASH
you can check it with follwing example i assumr you get some invalid values in params[:user][:name]
@user= User.new(params[:user])
@user.save
AND
@user= User.new()
@user.name=params[:user][:name] #your application may crash here or this is not sql injection safe
@user.save
To avoid this you can use hash
@user= User.new({:name=>params[:user][:name]})
@user.save
After reading this i came to conlcusion neither .new & .save are safe from sql injection
Edited
The mass-assignment feature may become a problem, as it allows an attacker to set any model’s attributes by manipulating the hash passed to a model’s new() method:
PLEASE READ 6 Mass Assignment
for it's Problems and 6.1 Countermeasures
for solution
精彩评论