I'm trying to pass a string into the .order method, such as <pre class="prettyprint"><code>Item.order(orderBy) </code></pre> I was wondering if orderBy gets sanitized by default and if not, what would be the best way to sanitize it.

The order does not get sanitized. This query will actually drop the Users table: <pre class="prettyprint"><code>Post.order("title; drop table users;") </code></pre> You'll want to check the <code>orderBy</code> variable before running the query if there's any way <code>orderBy</code> could be tainted from user input. Something like this could work: <pre class="prettyprint"><code>items = Item.scoped if Item.column_names.include?(orderBy) items = items.order(orderBy) end </code></pre>

Are the .order method parameters in ActiveRecord sanitized by default?

Tags:

ruby-on-rails

rails-activerecord

I'm trying to pass a string into the .order method, such as

Item.order(orderBy)

I was wondering if orderBy gets sanitized by default and if not, what would be the best way to sanitize it.

739

asked Feb 15 '13 14:02

andreimarinescu

1 Answers

The order does not get sanitized. This query will actually drop the Users table:

Post.order("title; drop table users;")

You'll want to check the orderBy variable before running the query if there's any way orderBy could be tainted from user input. Something like this could work:

items = Item.scoped
if Item.column_names.include?(orderBy)
  items = items.order(orderBy)
end

173

answered Oct 14 '22 13:10

Dylan Markow

Recent Activity
Apple Pay - authorize.net returns error 153 only when live, sandbox works
How to continue cursor loop even error occured in the loop
python find all neighbours of a given node in a list of lists
Fatal error: Call to a member function setColumn() on a non-object in Magento
Count how many of each value from a field with MySQL and PHP
Python 32-bit development on 64-bit Windows [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With