|
|
|
|
|
|
by nupark
5556 days ago
|
|
|
I'm not offering a "pointed critique of Rails" ([edit] although your framing it as such seems to encourage downvotes into the negatives). I'm demonstrating how the use of non-parameterized queries source of error that has repeatedly resulted in SQL injection issues in ActiveRecord. I have provided three different examples: - In the first, the API design itself made it non-obvious/easy to directly concatenate strings while -- at a glance -- appearing to be correct. - In the second, the API's implementation resulted in SQL injection because :limit and :offset arguments were not correctly escaped. - In the third, the API's documentation and recommended usage (in 2004) encouraged users to use constructs that appeared to provide defense against SQL injection, but in reality, did not. |
|
|