activerecord - Rails SQL Injection safe SELECT fields -


i have following ruby on rails code:

#the user can ask subset of following columns: authorized_fields= ["id","created_at","updated_at"]  #the user sends requested columns comma separated string in fields param fields = (params[:fields].split(',') & authorized_fields).join(",");  #build query run: sql = "select json_agg(u) (select #{fields} table_name) u"  #run query against database modelname.connection.select_value(sql)

my question is, query sql injection safe? understanding since limit available fields, protects me injections.

am correct? can give me example of fields parameter sent user not safe?

you may use activerecord::base.connection.quote_column_name. code should this:

input_fields = params[:fields].split(',').collect |field|    activerecord::base.connection.quote_column_name(field)  end

Comments

Post a Comment

Popular posts from this blog

python - PyInstaller UAC not working in onefile mode -

hello everybody. i have small python project , want make single executable file . using... windows 7 python 3.4 pyinstaller 3.2.1 my pyinstaller command is, pyinstaller -y -w -f -n output_file_name --uac-admin --clean source_file.py this command works properly. single output file not ask admin rights when executed. , there's no shield mark on executable file icon. when remove -f option (equivalent --onefile), output executable file has shield mark on icon , ask me admin rights. not want. want single executable file. i found manifest file (output_file_name.exe.manifest) in dist\output_file_name folder. did... pyinstaller -y -w -f -n output_file_name --manifest output_file_name.exe.manifest --uac-admin --clean source_file.py but command doesn't work. single executable file still not ask admin rights. i have removed pyinstaller , installed recent development version. pip install git+https://github.com/pyinstaller/pyinstaller.git@develop but result...
Read more

python - RuntimeError: can't re-enter readline -

i making python 3 app has prompt user enters commands. i'm running python 3.5 on macos sierra. i'm trying prevent exiting ctrl+c , having users exit instead typing exit prompt. i doing using method: https://stackoverflow.com/a/6019460/7450368 however, when prompting user again, runtimeerror: can't re-enter readline . is there way can fix this? here's code: import interpret import signal def siginthand(sig, frm): print("\nuse 'exit' exit.") prompt() signal.signal(signal.sigint, siginthand) version = ("v0.0.3") class commanderror(exception): pass def prompt(): try: task = input("einstein " + version + " > ") except runtimeerror: task = input("einstein " + version + " > ") try: execute(task) except commanderror e: print(e) prompt() def execute(command): command = command.lower() interpret.interp...
Read more

php - Need to store a large amount of data in session with CI 3 but on storing large data in session it is itself destorying automatically -

i working on large web application need database retrieved session instead of database. first time retrieving db , saving session onward calls of data going session. it handling data @ stage when got more data stored in session session got destroyed automatically... "this problem seems similar question says title session destroyed after redirect other pages of site." i got answer questions point here how handle thing when know in future have more data stored inside session, i wanted know little bit more involved answer right in development stage on production when have user 100000 or more how session behave, application behave in same manner did before. kindly discuss me, researching, need corporation more technical in php discussion may solution many of people facing same kind of issues.. you need use native php session because php session stores id in cookie. codeigniter stores data in cookie , problem stuck. so either need use native php sessions...
Read more