Home SQL injection error at where method in controller
Reply: 0

SQL injection error at where method in controller

user1312
1#
user1312 Published in July 23, 2018, 9:48 am

I have where method in Model and i am calling it in controller.

def some_method
  test = Something::Model.where(params[:param1],
                                params[:param2],
                                params[:param2],
                                params[:param3])
  ..more code here..
end

After pushing my code to remote branch, jenkins started throwing brakeman related errors. After further investigation, i found that brakeman is throwing Possible sql injection error at line ``test = Something::Model.where(params[:param1] So after some research i found that i have to use ActionController::Base.helpers.santize so when i used it as follows, it didnt throw any brakeman error.

def some_method
  test = Something::Model.where(ActionController::Base.helpers.sanitize(params[:param1]),
                                ActionController::Base.helpers.sanitize(params[:param2]),
                                ActionController::Base.helpers.sanitize(params[:param2]),
                                ActionController::Base.helpers.sanitize(params[:param3]))
  ..more code here..
end

My question is, is this the right way to fix that error or there is better way?

Thanks for reading

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.337596 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO