Ask A Question


You’re not receiving notifications from this thread.

SQL injection attempts, any advice?

Javier Sanz asked in General

Hi there,

In the logs of Rollbar for my app, I have seen in the past 2 days attempts like the ones in the image

I'm using 'will_paginate' gem for pagination of several records in the app, and also a gem to 'like' elements. Also I found this thread in a google groups but no idea how to include the suggested in my code. Within my hacks_controller.rb these are the 2 methods that include paginate:

def index
@hacks = Hack.friendly.order('id desc').paginate(:page => params[:page], per_page: 5)

def tagged
if params[:tag].present?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
@hacks = redirect_to hacks_path

Any help & advice on how to avoid these kind of attempts?


The page method he suggested should work nicely. I have had this issue before on GoRails too.

You can add this to the bottom of your controller or ApplicationController and just replace all the params[:page] references with this method page

def page
  p = params[:page].to_i
  p > 1 ? p : 1

I'm kinda surprised will_paginate doesn't handle this internally.


Thanks Chris, two newbie questions:

  • (...) 'you should include it to the bottom of your controller': within the private methods or out of them?
  • (...) 'just replace all the params[:page] references with this method page' > Can you confirm if what I got here

@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => params[:page], per_page: 5)
should I replace it with this other string?
@hacks = Hack.friendly.tagged_with(params[:tag]).paginate(:page => page, per_page: 5)

  1. Unless it is an action (with a view), you always want to put those methods in the private section. You don't have to, but it's a good idea to.

  2. Yep, that's it! That's basically just going to call the method instead of using the param directly. The method is the one that looks it up directly and then makes sure it gets converted to a sane integer.


Thanks Chris! No more evidences in Rollbar of the issue again. A security checklist episode could be great!

Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 83,453+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.