6.7. Database Refresher
Let's close out this chapter with a brief look at some important Rails database security and integrity features. Although these features may already be familiar to you, they are important enough to be touched on here. Three of the most critical needs of the database system are preventing SQL injection attacks by preventing arbitrary user-uploaded statements from being executed, preventing partial data from being saved to the database, and preventing users from getting access to resources that don't belong to them.
6.7.1. Preventing SQL Injection with the Power of Find
A SQL injection attack occurs when user input from, say, a search box is allowed to execute freely on the server side. A malicious user could place an SQL statement into the search box like:
'); DROP DATABASE soupsonline_production
If that statement is actually executed — well, hopefully you have a recent backup handy. Luckily, it's relatively straightforward to ensure that the user code is not executed, the basic idea is to ensure the user input is treated as a string (or converted to the non-string data type), and that any single quote marks are escaped to prevent the user from being able to break out from the string.
Rails automatically sanitizes data sent to the database when it is the data argument of a find method or a find_by method, or where the data is part of the ? interpolation of the :conditions argument to a find method. In other words, all of the following are safe:
Recipe.find("banana") ...Get Professional Ruby on Rails™ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
