Skip to main content

SQL injection attempts, any advice?

General • Asked by Javier Sanz

Hi there,

In the logs of Rollbar for my app petithacks.com, I have seen in the past 2 days attempts like the ones in the image

I'm using 'will_paginate' gem for pagination of several records in the app, and also a gem to 'like' elements. Also I found this thread in a google groups but no idea how to include the suggested in my code. Within my hacks_controller.rb these are the 2 methods that include paginate:


def index
@hacks = Hack.friendly.order('id desc').paginate(:page => params[:page], per_page: 5)
end

def tagged
if params[:tag].present?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
else
@hacks = redirect_to hacks_path
end
end

Any help & advice on how to avoid these kind of attempts?


The page method he suggested should work nicely. I have had this issue before on GoRails too.

You can add this to the bottom of your controller or ApplicationController and just replace all the params[:page] references with this method page

def page
  p = params[:page].to_i
  p > 1 ? p : 1
end

I'm kinda surprised will_paginate doesn't handle this internally.


Thanks Chris, two newbie questions:

  • (...) 'you should include it to the bottom of your controller': within the private methods or out of them?
  • (...) 'just replace all the params[:page] references with this method page' > Can you confirm if what I got here

@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
should I replace it with this other string?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => page, per_page: 5)


  1. Unless it is an action (with a view), you always want to put those methods in the private section. You don't have to, but it's a good idea to.

  2. Yep, that's it! That's basically just going to call the method instead of using the param directly. The method is the one that looks it up directly and then makes sure it gets converted to a sane integer.


Thanks Chris! No more evidences in Rollbar of the issue again. A security checklist episode could be great!


Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 24,647+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.