Is ActiveRecord’s “order” method vulnerable to SQL injection?

by

Yes, ActiveRecord’s “order” method is vulnerable to SQL injection.

No, it is not safe to use interpolated strings when calling .order.

The above answers to my question have been confirmed by Aaron Patterson, who pointed me to http://rails-sqli.org/#order . From that page:

Taking advantage of SQL injection in ORDER BY clauses is tricky, but a
CASE statement can be used to test other fields, switching the sort
column for true or false. While it can take many queries, an attacker
can determine the value of the field.

Therefore it’s important to manually check anything going to order is safe; perhaps by using methods similar to @dmcnally’s suggestions.

Thanks all.

More Related Contents:

  1. How to use ANY instead of IN in a WHERE clause?
  2. LEFT OUTER JOIN in Rails 4
  3. SQL Server search using like while ignoring blank spaces
  4. Use variable with TOP in select statement in SQL Server without making it dynamic [duplicate]
  5. Run a query with a LIMIT/OFFSET and also get the total number of rows
  6. How to retrieve the current value of an oracle sequence without increment it?
  7. how to increment integer Columns value by 1 in SQL
  8. Left Join without duplicate rows from left table
  9. How do I find the data directory for a SQL Server instance?
  10. How to update rows with a random date
  11. ActiveRecord find_each combined with limit and order
  12. How to create a new database with the hstore extension already installed?
  13. Oracle date “Between” Query
  14. How do I compare two columns for equality in SQL Server?
  15. How important are lookup tables?
  16. Insert data and set foreign keys with Postgres
  17. How to call Oracle MD5 hash function?
  18. IIS connecting to LocalDB
  19. SQL: Aggregating strings together
  20. Fetch records that are non zero after the decimal point in PostgreSQL
  21. Flattening of a 1 row table into a key-value pair table
  22. How to use a ring data structure in window functions
  23. MySql bulk load command line tool
  24. SQL Server equivalent of WM_CONCAT function [duplicate]
  25. Distributed transaction error?
  26. selecting top N rows for each group in a table
  27. How to check db2 version
  28. Determine what user created objects in SQL Server
  29. Oracle: ‘= ANY()’ vs. ‘IN ()’
  30. Getting warning: Null value is eliminated by an aggregate or other SET operation

Leave a Comment