Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update branches for using sql statements #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update branches for using sql statements #1

wants to merge 1 commit into from

Conversation

jdrobertso
Copy link
Owner

This PR includes initial project setup. Includes setting up the Mysql database and hooking it in, as well as setting up a dummy model, controller, and serializer on the API side, as well as a model on the ember side so data can be created, updated, and destroyed through the console and viewed on the ember inspector as well as directly in the api server itself. The goal of this branch was to create a rails API without using Active Record or any other ORM tool, and instead using SQL statements to achieve the same aim.

Update branches for using sql statements
eedd234 
working on gitmodules


setup git modules
@camway
Copy link
Collaborator

camway commented Dec 9, 2019

I think the only thing that jumped out at me in here was this (there's a couple others that are similar):

  def self.save(id, name, number)
    query = DB.prepare(
      "INSERT INTO Dummy VALUES (?, ?, ?)"
      )
    query.execute(id, name, number)
    add_to_all(id)
    true
  end

I don't believe the raw mysql2 client will sanitize the values being inserted this way, and I can't find another spot where they would be sanitized.

If you want to try to see if you can inject SQL in your own code, try something like this:

This will likely be easier for you to test than me since I don't have the project setup, but trying inserting something like this:

bad_actor_sql = "something\\\"); SHOW FULL PROCESSLIST; #"

This is kind of hard to read, but the idea is that you have a query like this:

INSERT INTO people (name) VALUES (?);

When parsed and inserted, you're trying to terminate the original statement, and run the one you want to attack with after it:

INSERT INTO people (name) VALUES ("something"); SHOW FULL PROCESSLIST; #)

So the first statement completes, then the second statement runs, then the rest of your SQL is commented out.

@jdrobertso
Copy link
Owner Author

I don't believe the raw mysql2 client will sanitize the values being inserted this way, and I can't find another spot where they would be sanitized.

My understanding was that by using prepared statements the mysql2 gem's execute method actually does handle SQL injection for you. I will try to read up more on this and be sure of that, but I've found a few sources that suggest this is the way to prevent SQL injections.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sktzr sktzr Awaiting requested review from sktzr

@camway camway Awaiting requested review from camway

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jdrobertso @camway