[Rails] SQL Injection Attacks

David Heinemeier Hansson david at loudthinking.com
Thu Dec 2 10:19:48 GMT 2004 

> SQL injection attacks are actually a big fear of mine with rails; I've
> not seen any convincing evidence that care has been taken on this
> issue, and some evidence (such as this) that it hasn't be sufficiently
> examined. I'd hate to see rails get a reputation akin to that of
> PHPNuke, which seems to have a weekly SQL injection attack posted to
> bugtraq.

There's no need to fear. Security is not likely to ever be a bullet 
point on the feature list of a framework. All Rails does is provide you 
with a number of features to _help_ deal with security, like SQL 
injection (see Conditions under 
http://ar.rubyonrails.org/classes/ActiveRecord/Base.html) and guarding 
access to attributes with 
(http://ar.rubyonrails.org/classes/ActiveRecord/Base.html#M000093).

Giving any language or framework the reputation of not dealing with 
SQL-injection is plain silly. As a developer, you're always the one 
where the buck stops. If some feature of a framework isn't available or 
sufficient, you make sure that your application takes the proper 
measures to deal with it.

Additionally, it's double silly to compare an application like PHPNuke 
with a framework like Rails. But I trust that this was not the intend 
of your post.

Bottom line: Please be specific about security concerns. If Rails has a 
security bug, I'm the first that wants to hear about it. If you have a 
specific feature that you think would make it easier on you as a 
developer to deal with security, please write up a proposal (your 
points for the quoting is almost that) or better yet supply a patch for 
consideration.

> Beyond that, there's the issue of ruby's security level, tainting input
> variables, and so on, which I've not looked at at all in relation to
> rails.

Just like Rails offer some features for security you can _choose_ to 
use, so does Ruby. For Rails, I've currently chosen that the tainting 
facilities haven't been necessary or helpful in combatting security 
concerns. If someone wants to reevaluate that choice by showing a few 
cases where the tainting could help, I'd be more than happy to listen.
--
David Heinemeier Hansson,
http://www.basecamphq.com/   -- Web-based Project Management
http://www.rubyonrails.org/  -- Web-application framework for Ruby
http://macromates.com/       -- TextMate: Code and markup editor (OS X)
http://www.loudthinking.com/ -- Broadcasting Brain

More information about the Rails mailing list