Rails和SQL注入:这安全吗?

时间:2021-08-17 13:02:25
@usersfound = User.find_by_sql(["

SELECT * from users where name @@ plainto_tsquery('english', ?) LIMIT 20 offset ?

  ",@query,@offset])

See above, is this safe from sql injection? I am very new to doing direct sql commands on a database in rails. (I am aware there may be other ways of doing this SPECIFIC query, but I am wondering if in general, using find_by_sql and that kind of insertion of vars is safe - I have some difficult queries with subselects and joins that are really possible to do with ActiveRecord.

从上面看,这是安全的sql注入吗?我对在rails的数据库上执行直接的sql命令非常陌生。(我知道可能还有其他方法来执行这个特定的查询,但我想知道,一般来说,使用find_by_sql和那种插入vars是安全的——我有一些带有子选择和连接的困难查询,这与ActiveRecord是完全可能的。

Thanks.

谢谢。

2 个解决方案

#1


2  

Yes, that should be safe. If you trace through the code you'll find that your find_by_sql call ends up calling PGconn#send_query_prepared with the bind parameters being carried along as little more than baggage; the send_query_prepared method is just a wrapper for the PQsendQueryPrepared API call in libpq:

是的,那应该是安全的。如果对代码进行跟踪,您将发现您的find_by_sql调用最终调用PGconn#send_query_prepared,绑定参数仅比行李多一点点;send_query_prepared方法只是libpq中PQsendQueryPrepared API调用的包装器:

static VALUE
pgconn_send_query_prepared(int argc, VALUE *argv, VALUE self)
{
    /* ... bunch of boiler plate marshalling stuff ... */
    result = PQsendQueryPrepared(conn, StringValuePtr(name), nParams, 
        (const char * const *)paramValues, paramLengths, paramFormats, 
        resultFormat);
    /* ... */
}

The bind parameters end up in paramValues. So you should be fine unless there are bugs in PostgreSQL's C library prepared statement handling.

绑定参数在参数中结束。所以,除非PostgreSQL的C库准备语句处理中有错误,否则应该没问题。

#2


1  

Inserting dynamic values into a query using query parameters is safe.

使用查询参数将动态值插入查询是安全的。

But it depends on whether Rails is "faking" query parameters, and is actually combining @query and @offset into the SQL string before preparing the statement. Then it's only as safe as the implementation of escaping in Rails.

但这取决于Rails是否“伪造”查询参数,并且实际上是在准备语句之前将@query和@offset组合到SQL字符串中。那么只有在Rails中实现转义才是安全的。

#1


2  

Yes, that should be safe. If you trace through the code you'll find that your find_by_sql call ends up calling PGconn#send_query_prepared with the bind parameters being carried along as little more than baggage; the send_query_prepared method is just a wrapper for the PQsendQueryPrepared API call in libpq:

是的,那应该是安全的。如果对代码进行跟踪,您将发现您的find_by_sql调用最终调用PGconn#send_query_prepared,绑定参数仅比行李多一点点;send_query_prepared方法只是libpq中PQsendQueryPrepared API调用的包装器:

static VALUE
pgconn_send_query_prepared(int argc, VALUE *argv, VALUE self)
{
    /* ... bunch of boiler plate marshalling stuff ... */
    result = PQsendQueryPrepared(conn, StringValuePtr(name), nParams, 
        (const char * const *)paramValues, paramLengths, paramFormats, 
        resultFormat);
    /* ... */
}

The bind parameters end up in paramValues. So you should be fine unless there are bugs in PostgreSQL's C library prepared statement handling.

绑定参数在参数中结束。所以,除非PostgreSQL的C库准备语句处理中有错误,否则应该没问题。

#2


1  

Inserting dynamic values into a query using query parameters is safe.

使用查询参数将动态值插入查询是安全的。

But it depends on whether Rails is "faking" query parameters, and is actually combining @query and @offset into the SQL string before preparing the statement. Then it's only as safe as the implementation of escaping in Rails.

但这取决于Rails是否“伪造”查询参数,并且实际上是在准备语句之前将@query和@offset组合到SQL字符串中。那么只有在Rails中实现转义才是安全的。