Ruby%20On%20Rails%20Interview%20Questions%20and%20Answers
Question: HOW CAN YOU SAFEGUARD A RAILS APPLICATION FROM SQL INJECTION ATTACK?Answer:Rails already has the logic built into it to prevent SQL injection attacks if you follow the right syntax. Say you are trying to authenticate a user based on their login and password you might be tempted to use a syntax as below: User.first("login = '#{params[:name]}' AND password = '#{params[:password]}'") If an attacker enters ’ OR ‘1’=‘1 as the name, and ’ OR ’2’>’1 as the password, the resulting SQL query will be: SELECT * FROM users WHERE login = '' OR '1'='1' AND password = '' OR '2'>'1' LIMIT 1 This will simply find the first record in the database, and grants access to this user. To prevent this type of SQL injection simply use the following format. User.where("login = ? AND password = ?", entered_user_name, entered_password).first OR User.where(:login => entered_user_name, :password => entered_password).first |
Is it helpful?
Yes
No
Most helpful rated by users:
- What is Ruby On Rails?
- Why Ruby on Rails?
- Explain how (almost) everything is an object in Ruby.
- What are Gems and which are some of your favorites?
- How would you declare and use a constructor in Ruby?