On Thu, Jun 17, 2004 at 07:06:01PM +0200, Michael Neumann wrote:
> On Wed, Jun 16, 2004 at 09:44:28PM +0200, Johannes Barre wrote:
> > Hi!
> >
> > I've joint a project, which is using it own databaselayer. I want to
> > suggest to use ruby-dbi instead, but first I want to ask, if it is
> > possible to write code with ruby-dbi, which is vulnerable by SQL-Injections?
> >
> > This if of course vulnerable:
> > dbh.execute("SELECT * FROM people WHERE id = #{id}")
> >
> > But is this safe?
> > dbh.execute("SELECT * FROM people WHERE id = ?", id)
>
> It should be safe! Of course, if you're a malicous programmer, you could
Well, the bind method of DBI is not vulnerable (at least I'm not aware
of... please show me the contrary). The DBDs might be, depending on the
implementation (they're free to implement their own bind method).
We need to run these testcases for every DBD to make this sure.
Regards,
Michael
|
