LIKE injection (opens in new tab)

(githubengineering.com)

10 pointsmastahyeti10y ago4 comments

4 comments

4 comments · 3 top-level

acconrad10y ago· 1 in thread

Perhaps Github isn't on Rails 4.2, but they've already created a method for sanitizing SQL like statements in ActiveRecord::Sanitization[1], so they shouldn't need a custom function to remove SQL injection. Also, you could always just use ActiveRecord::Base.connection.quote which will safely quote the string you want to input.

[1] http://apidock.com/rails/ActiveRecord/Sanitization/ClassMeth...

_jomo10y ago

ActiveRecord::Base.connection.quote doesn't escape % or any other LIKE-special character.

_jomo10y ago

The LIKE query '%64%68%6f%6d%65%73@%67%6d%61%69%6c.%63%6f%6d%' wasn't an injection attempt, it's just a URL-encoded email address. Most likely it was accidentally double-encoded in the search URL for some reason, so it ended up still encoded in the SQL query.

benjojo1210y ago

I actually had this issue in a chat room bot where people would do exactly this to attempt (and in some cases succeed) in a DoS against the database

j / k navigate · click thread line to collapse