undefined | Better HN

0 pointsgrey-area9y ago0 comments

This is probably incredibly common for things like order params in many web apps and also relies on silly conversion rules in MySQL. Any time you see order=name in params you should be suspicious. Better to use numeric enums. There are similar problems with column names, this site has some great examples which apply to many ohms, not just rails:

http://rails-sqli.org

The lesson is you should always strongly assert the type of user input (where you can, convert to known good values which is even better), and never magically convert types as rails/ MySQL does here. It's less convenient but safer.

0 comments

2 comments · 1 top-level

true_religion9y ago· 1 in thread

Django for example will throw an error if an ordering parameter does not correspond to a database column.

If you have to specify all the columns of a table in Rails, then ActiveRecord ought to be able to restrict the order params to only column names.

smithd989y ago

I imagine some ORMs don't have this so people can do order by computed columns like "order by assets - liabilities"

To your point it probably makes sense to have an order method that verifies column names and an order_raw method that takes a string so the caller understands the risk, while protecting the usual case.

j / k navigate · click thread line to collapse