Home > OS >  Is the following code snippet vulnerable to SQL injection in Rails 5?
Is the following code snippet vulnerable to SQL injection in Rails 5?

Time:12-15

Is the following code snippet vulnerable to SQL injection in Rails 5 if the order parameter is not sanitized? I've tried testing it using the example provided in https://rails-sqli.org/rails5 but an ActiveRecord::UnknownAttributeReference exception is raised. Does that mean the code is safe against SQLi?

@exports = Export.for_public.order(params[:order] || 'created_at DESC').page(params[:page])

CodePudding user response:

Found the answer to my question here https://medium.com/@mitsun.chieh/activerecord-relation-with-raw-sql-argument-returns-a-warning-exception-raising-8999f1b9898a.

Page link:https//www.codepudding.com/os/227553.html

Prev:Rollback happens when I update user model in Rails?
Next:Order by Date, then sort by other field in SQL Server
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding