是 ActiveRecord 的“顺序"吗?容易受到 SQL 注入攻击的方法? [英] Is ActiveRecord's "order" method vulnerable to SQL injection?

问题描述

我知道在调用 .where 时使用内插字符串是不安全的.

I know it's not safe to use interpolated strings when calling .where.

例如这个:

Client.where("orders_count = #{params[:orders]}")

应该改写为:

Client.where("orders_count = ?", params[:orders])

在调用 .order 时使用内插字符串是否安全?如果不是，下面应该怎么改写?

Is it safe to use interpolated strings when calling .order? If not, how should the following be rewritten?

Client.order("#{some_value_1}, #{some_value_2}")

推荐答案

是的，ActiveRecord 的order"方法容易受到 SQL 注入攻击.

Yes, ActiveRecord's "order" method is vulnerable to SQL injection.

不，在调用 .order 时使用内插字符串不安全.

No, it is not safe to use interpolated strings when calling .order.

Aaron Patterson 证实了我的问题的上述答案，他向我指出了http://rails-sqli.org/#order.从该页面:

The above answers to my question have been confirmed by Aaron Patterson, who pointed me to http://rails-sqli.org/#order . From that page:

在 ORDER BY 子句中利用 SQL 注入是很棘手的，但是CASE语句可以用来测试其他字段，切换排序列为真或假.虽然它可能需要很多查询，但攻击者可以确定字段的值.

Taking advantage of SQL injection in ORDER BY clauses is tricky, but a CASE statement can be used to test other fields, switching the sort column for true or false. While it can take many queries, an attacker can determine the value of the field.

因此，手动检查任何去order 的东西是安全的很重要；也许使用类似于@dmcnally 建议的方法.

Therefore it's important to manually check anything going to order is safe; perhaps by using methods similar to @dmcnally's suggestions.

谢谢大家.

这篇关于是 ActiveRecord 的“顺序"吗?容易受到 SQL 注入攻击的方法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！