ruby on rails - Is it possible to modify database using SQL injection with Active Record -


this question has answer here:

using rails 4.0 have controller action uses request parameters in active record query:

@clients = client.where(params[:where]).order(params[:order]).limit(params[:limit])

would possible user, using sql injection, modify database, or obtain information database not contained in clients table?

if example appreciated, simple method prevent possibility (i understand placeholders or hash parameters remove vulnerablity don't see how create same functionality using them)

thanks in advance.

edit

i understand these methods have vulnerabilities. question concerns extent of vulnerablity. not able find answer specific question in rails guides.

the where method assumes argument sql fragment if it's string.

what happens next depends on database used, example on mysql active record turns off ability query contain multiple statements, it's not case of injecting clause ';'.

current versions of rails use prepared statements on postgres, forbids injection of multiple statements.

in general relying on seems extremely risky , may vary on other databases. if data modification / theft not possible, denial of service trivial.

it possible steal information of form "is there user email address xyz" using subquery uses exists. little time patience extract values, example if know user's id , want extract email address run subselects of form

select * users id = 123 , email_address 'a%'

if results know email address starts a, , can move onto next letter. if not check whether email address starts b , on. once i've got first character, queries of form

select * users id = 123 , email_address 'fa%' select * users id = 123 , email_address 'fb%' select * users id = 123 , email_address 'fc%'

allow me extract second character of email address. few thousand queries whole email address.

another way use sleep function on mysql - allow extraction of variables 1 byte @ time based on how long page took load


-

Comments

Post a Comment

Popular posts from this blog

c# - Binding a comma separated list to a List<int> in asp.net web api -

the default binder in web api expecst http://url.com/webapi/report/?pageids=3243&pageids=2365 to bind public ihttpactionresult report(list<int> pageids){ // exciting webapi code} i wish bind http://url.com/webapi/report/?pageids=3243,2365 as running out of space in url get . i have created class public class commaseparatedmodelbinder : system.web.http.modelbinding.imodelbinder { public bool bindmodel(httpactioncontext actioncontext, modelbindingcontext bindingcontext) { //binding in here } } and registered in webapiconfig.cs var provider = new simplemodelbinderprovider( typeof(list<int>), new commaseparatedmodelbinder()); config.services.insert(typeof(modelbinderprovider), 0, provider); i have altered method signature use model binder so public ihttpactionresult report( [modelbinder] list<int> pageids){ // exciting webapi code} however break point in binder not being
Read more

Delphi 7 and decode UTF-8 base64 -

in delphi 7, have widestring encoded base64(that received web service widestring result) : pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg== when decoded it, result not utf-8: <?xml version="1.0"?> <string>طھط³طھ</string> but when decoded base64decode.org, result true : <?xml version="1.0"?> <string>تست</string> i have use encddecd unit decodestring function. the problem have using decodestring . function, in delphi 7, treats decoded binary data being ansi encoded. , problem text utf-8 encoded. to continue encddecd unit have couple of options. can switch decodestream . instance, code produce utf-8 encoded text file data: {$apptype console} uses classes, encddecd; const data = 'pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg=='; var input: tstringstream; output: tfilestream; begin input := tstringstream.create(data); try output := tfilestream.
Read more

html - Is there any way to exclude a single element from the style? (Bootstrap) -

so, have img logo, overlaid on div styled background-image: url("...") , , both elements inside 2 div classes .to-color , .to-overlay respectively, black transparent overlay. is there way exclude logo style given these 2 classes? here's jsfiddle example: link html , css example: - html - <div class="to-color"> <div class="to-overlay"> <div class="respo"> <div class="row"> <div class="col-xs-4 col-xs-offset-4 text-center"> <img src="http://ansonalex.com/wp-content/uploads/2011/06/google-logo-768x260.png" alt="..." class="img-responsive"> </div> </div> </div> </div> </div> - css - .to-color { background-color: #000; } .to-overlay { opacity : 0.5; } .respo { background-image: url("https://source.unsplash.com/category/objects/1600x900"); background-position: center center;
Read more