Ask A Question

Notifications

You’re not receiving notifications from this thread.

SQL injection attempts, any advice?

Javier Sanz asked in General
Javier Sanz Javier Sanz

Hi there,

In the logs of Rollbar for my app petithacks.com, I have seen in the past 2 days attempts like the ones in the image

I'm using 'will_paginate' gem for pagination of several records in the app, and also a gem to 'like' elements. Also I found this thread in a google groups but no idea how to include the suggested in my code. Within my hacks_controller.rb these are the 2 methods that include paginate:


def index
@hacks = Hack.friendly.order('id desc').paginate(:page => params[:page], per_page: 5)
end

def tagged
if params[:tag].present?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
else
@hacks = redirect_to hacks_path
end
end

Any help & advice on how to avoid these kind of attempts?

Reply
Chris Oliver Chris Oliver

The page method he suggested should work nicely. I have had this issue before on GoRails too.

You can add this to the bottom of your controller or ApplicationController and just replace all the params[:page] references with this method page

def page
  p = params[:page].to_i
  p > 1 ? p : 1
end

I'm kinda surprised will_paginate doesn't handle this internally.

Reply
Javier Sanz Javier Sanz

Thanks Chris, two newbie questions:

  • (...) 'you should include it to the bottom of your controller': within the private methods or out of them?
  • (...) 'just replace all the params[:page] references with this method page' > Can you confirm if what I got here

@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
should I replace it with this other string?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => page, per_page: 5)

Reply
Chris Oliver Chris Oliver

  1. Unless it is an action (with a view), you always want to put those methods in the private section. You don't have to, but it's a good idea to.

  2. Yep, that's it! That's basically just going to call the method instead of using the param directly. The method is the one that looks it up directly and then makes sure it gets converted to a sane integer.

Reply
Javier Sanz Javier Sanz

Thanks Chris! No more evidences in Rollbar of the issue again. A security checklist episode could be great!

Reply
Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 87,940+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.