« next card
previous card »
back to all cards in this deck
Posted over 11 years ago. Visible to the public.

Properly sanitizing column names for MySQL

There are times when you need to send SQL to the database, like this:

Copy
def self.some_count(field)
  field = connection.quote_column_name(field)
  scoped(:select => "COUNT(DISTINCT #{field}) AS count")
end

Although the given variable is sanitized here, the MySQLAdapter's (and probably other adapters as well) method for this is insufficient as it only wraps backticks around it, not helping against injection:

Copy
Klass.some_count("id`); DELETE FROM users; -- ")
# Will result in this SQL which is valid but definitely undesirable:
SELECT COUNT(DISTINCT `id`); DELETE FROM users; -- `) AS count;

If you are doing something like the above, the correct way is to first remove all backticks from the given string. Afterwards the unsafe code is wrapped in backticks. The resulting SQL query will look like this:

Copy
SELECT COUNT(DISTINCT `id); DELETE FROM users; -- `) AS count;

MySQL will complain about a missing column 'id); DELETE FROM users; -- ' which is safe.

Put the attached fix for the MySQL adapter into config/initializers/.

Protect your Rails app from security breaches

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for unsupported versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2).

Learn more
mysql_adapter.rb

Owner of this card:

Avatar
Thomas Eisenbarth
makandra.de
Say thanks
Last edit:
over 6 years ago
by Martin Straub
Attachments:
mysql_adapter.rb
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Thomas Eisenbarth to makandra dev
Privacy policy Terms of service Imprint
This website uses short-lived cookies to improve usability.
Accept or learn more