mysql - 此 Ruby on Rails 代码是否容易受到 SQL 注入(inject)攻击？

Question

感谢您对此的帮助。我是 Rails 新手(使用 Rails 2，我知道它并不理想，但对于该项目来说是必要的。)我有一个包含多个输入的表单。我想确保我正在保护我的用户免受 SQL 注入(inject)。我认为我已经正确处理了它，但我只是想确定一下，尤其是在输入方面。

footwear.html.erb 具有保存到鞋子和 socks 表的表单

    <% form_for @shoe, :html=>{:id=>'createanOrder'} do |f| %>

    <input id="shoe_name" name="shoename" size="30" type="text" value="New Shoe"></p>

    <p>Enter a decoration for the top:
    <input id="topdecorationinput" type="text" name="topdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="topdecorationdropdown" name="topdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>

    <select multiple id="socks" name="socksselected[]">
    <% for sock in @sock %>
    <option selected value="<%= sock.name %>">
    <%= sock.name %></option>
    <% end %>
    </select>  

    <input type="checkbox" name="shipit" id="shipt" checked="true">

    <p>Enter a decoration for the bottom:
    <input id="bottomdecorationinput" type="text" name="bottomdecorationinput" size="56"></p>

    <p>Or, select a decoration from the list:
    <select id="bottomdecorationdropdown" name="bottomdecorationdropdown">
    <option value="">
    <% for allshoe in @allshoe %>
    <option value="<%= allshoe.decoration %>"><%= allshoe.decoration %></option>
    <% end %>
    </select>
    </p>
    <input type="submit" id="savethisorder" value="Save Order or Update Order">     
    <% end %>

鞋子 Controller

    class ShoesController < ApplicationController
    # GET /shoes
    # GET /shoes.xml
    def index
    @shoe = Shoe.all
    @sock = Sock.all
    respond_to do |format|
    format.html # index.html.erb
  format.xml  { render :xml => @shoes }
    end
    end

    # GET /shoes/1
    # GET /shoes/1.xml

    def show
    @shoe = Shoe.find(params[:id])
    @sock = Sock.find(params[:id])
    respond_to do |format|
    format.html # show.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/new
    # GET /shoes/new.xml
    def new
    @shoe = Shoe.new
    @sock = Sock.new
    respond_to do |format|
    format.html # new.html.erb
    format.xml  { render :xml => @shoe }
    end
    end

    # GET /shoes/1/edit
    def edit
    @shoe = Shoe.find(params[:id])
@sock = Sock.find(params[:id])
    respond_to do |format|
      format.html # edit.html.erb
      format.xml  { render :xml => @activity }
    end
    end

    # POST /shoes
    # POST /shoes.xml

    def create

    @shoe = Shoe.new(params[:shoe])
    @shoe.name = params[:shoename]

    if !params[:topdecorationdropdown].blank?
    @shoe.decoration = params[:topdecorationinput]
    else
    @shoe.decoration = params[:topdecorationdropdown]
    topdecorationdropdown_array = params[:topdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparkletopdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => topdecorationdropdown_array[0]).sparkle
    end                                     

    socks = params[:socksselected]
    socks.each do |sock_info|
    sock = Sock.new
    sock.sockdescription = sock_info
    sock.shoe = @shoe

    sockdecoration_array = sock_info.split(',').collect(&:strip)
    @sockisaset = Allshoe.find(:first, :conditions => {:decoration => sockdecoration_array[0]})
        if @sockisaset
        sock.sparkle = Allshoe.find(:first, :conditions => {:sparkle => sockdecoration_array[0]).sparkle
        else
        sock.sparkle = nil
        end 
    sock.save
    end


    if !params[:shipit].blank?
    @shoe.shipit = 1
    else
    @shoe.shipit = 0
    end

    if !params[:bottomdecorationdropdown].blank?
    @shoe.decoration = params[:bottomdecorationinput]
    else
    @shoe.decoration = params[:bottomdecorationdropdown]
    bottomdecorationdropdown_array = params[:bottomdecorationdropdown].split(',').collect(&:strip) 
    @shoe.sparklebottomdecorationdropdown = Allshoe.find(:first, :conditions => {:sparkle => bottomdecorationdropdown_array[0]).sparkle

    end         
end


respond_to do |format|
  if @shoe.save
    format.html { redirect_to "/store" }
    format.xml  { render :xml => @shoe, :status => :created}
  else
    format.html { render :action => "new" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
  end
end
    end

    # PUT /shoes/1
    # PUT /shoes/1.xml

    def update
    @shoe = Shoe.find(params[:id])
    respond_to do |format|
    if @shoe.update_attributes(params[:shoe])
    flash[:notice] = 'Shoe was successfully updated.'
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    else
    format.html { render :action => "edit" }
    format.xml  { render :xml => @shoe.errors, :status => :unprocessable_entity }
    end
    end
    end

    # DELETE /shoes/1
    # DELETE /shoes/1.xml

    def destroy
    @shoe = Shoe.find(params[:id])
    @shoe.destroy
    respond_to do |format|
    format.html { redirect_to "/store" }
    format.xml  { head :ok }
    end
    end
    end

鞋款

    class Shoe < ActiveRecord::Base
belongs_to :footwear
has_many :socks, :dependent => :destroy
    end

Answer 1

上面给出的代码受到 SQL 注入(inject)的保护。 ROR 中可以进行注入(inject)，但通常在构建查询时直接在 find by sql 命令中使用变量时发生。

对于 EX:

sq = "Select * from users where id = {params[:id]}"
res = User.find_by_sql(sql)

在上述情况下，可以通过在 params[:id] 中发送适当的语句来完成 SQL 注入(inject)。上面同样的代码可以写成下面这样来防止注入(inject)。

sq = "Select * from users where id = ?"
res = User.find_by_sql([sql,params[:id]])

上面编写的代码是安全的，不会受到 SQL 注入(inject)的影响。