这个Ruby on Rails代码是否容易受到SQL注入攻击?

时间:2013-08-20 02:20:10

标签: mysql ruby-on-rails sql-injection

感谢您的帮助。我是Rails的新手(使用Rails 2,我知道这不是理想的,但这对项目来说是必要的。)我有一个带有几个输入的表单。我想确保我保护我的用户免受SQL注入。我想我已经妥善处理了,但我只是想确定一下,尤其是输入。

footwear.html.erb有保存到鞋子和袜子表的形式 

    <% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>

    <input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>

    <p>Enter a decoration for the top:
    <input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="topdecorationdropdown" name="topdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>

    <select multiple id="socks" name="socksselected[]">
    <% for sock in @sock %>
    <option selected value="<%= sock.name %>">
    <%= sock.name %></option>
    <% end %>
    </select>  

    <input type="checkbox" name="shipit" id="shipt" checked="true">

    <p>Enter a decoration for the bottom:
    <input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>
    <input type="submit" id="savethisorder" value="Save Order or Update Order">     
    <% end %>

鞋子控制器 

    class ShoesController < ApplicationController
    # GET /shoes
    # GET /shoes.xml
    def index
    @shoe = Shoe.all
    @sock = Sock.all
    respond_to do |format|
    format.html # index.html.erb
  format.xml  { render :xml => @shoes }
    end
    end

    # GET /shoes/1
    # GET /shoes/1.xml

    def show
    @shoe = Shoe.find(params[:id])
    @sock = Sock.find(params[:id])
    respond_to do |format|
    format.html # show.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/new
    # GET /shoes/new.xml
    def new
    @shoe = Shoe.new
    @sock = Sock.new
    respond_to do |format|
    format.html # new.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/1/edit
    def edit
    @shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
    respond_to do |format|
      format.html # edit.html.erb
      format.xml  { render :xml => @activity }
    end
    end

    # POST /shoes
    # POST /shoes.xml

    def create

    @shoe = Shoe.new(params[:shoe])
    @shoe.name = params[:shoename]

    if !params[:topdecorationdropdown].blank?
    @shoe.decoration = params[:topdecorationinput]
    else
    @shoe.decoration = params[:topdecorationdropdown]
    topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
    end                                     

    socks = params[:socksselected]
    socks.each do |sock_info|
    sock = Sock.new
    sock.sockdescription = sock_info
    sock.shoe = @shoe

    sockdecoration_array = sock_info.split(',').collect(&:strip)
    @sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
        if @sockisaset
        sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
        else
        sock.sparkle = nil
        end 
    sock.save
    end


    if !params[:shipit].blank?
    @shoe.shipit = 1
    else
    @shoe.shipit = 0
    end

    if !params[:bottomdecorationdropdown].blank?
    @shoe.decoration = params[:bottomdecorationinput]
    else
    @shoe.decoration = params[:bottomdecorationdropdown]
    bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle

    end         
end


respond_to do |format|
  if @shoe.save
    format.html { redirect_to "/store" }
    format.xml  { render :xml => @shoe, :status => :created}
  else
    format.html { render :action => "new" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
  end
end
    end

    # PUT /shoes/1
    # PUT /shoes/1.xml

    def update
    @shoe = Shoe.find(params[:id])
    respond_to do |format|
    if @shoe.update_attributes(params[:shoe])
    flash[:notice] = 'Shoe was successfully updated.'
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    else
    format.html { render :action => "edit" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
    end
    end
    end

    # DELETE /shoes/1
    # DELETE /shoes/1.xml

    def destroy
    @shoe = Shoe.find(params[:id])
    @shoe.destroy
    respond_to do |format|
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    end
    end
    end

鞋子模型 

    class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
    end

1 个答案:

答案 0 :(得分:1)

上面给出的代码受到SQL注入的保护。可以在ROR中进行注入,但通常在构建查询时在sql命令的find中直接使用变量时发生。

对于EX:

sq = "Select * from users where id = {params[:id]}"
res = User.find_by_sql(sql)

在上面提到的情况下,sql注入可以通过在params [:id]中发送适当的语句来完成。上面的代码可以写成如下,以防止注射。

sq = "Select * from users where id = ?"
res = User.find_by_sql([sql,params[:id]])

上面编写的代码对于SQL注入是安全的。

相关问题
最新问题