Thanks, Bensie, that's along the lines of what I was considering doing. On Thu, Mar 12, 2015 at 9:29 AM, James Miller <[email protected]> wrote:
> Could add something like this to ensure the page param is valid, then call > this instead of passing the param directly when paginating: > > def page > p = params[:page].to_i > p > 1 ? p : 1 > end > > James > > On Thu, Mar 12, 2015 at 9:23 AM, Chris McCann <[email protected]> > wrote: > >> One of my apps uses will_paginate and I received several exception >> notifications overnight that indicate someone tried a SQL injection attack >> against the app using the :page parameter. How should I handle this? >> >> The route they tried: >> >> ...events/upcoming?page=convert%28int%2Cdb_name%28%29%29%20and%201%3D1 >> >> The resulting error: >> >> A WillPaginate::InvalidPage occurred in events#upcoming: >> >> "convert(int,db_name()) and 1=1" given as value, which translates to '0' >> as page number >> /var/www/rails/apollo_production/shared/bundle/ruby/ >> 1.8/gems/will_paginate-2.3.16/lib/will_paginate/collection.rb:27:in >> `validate' >> >> Disregading than the general irritation this creates (how dare someone >> try to SQL inject my app!), what's the right way to detect and handle this? >> >> Cheers, >> >> Chris >> >> -- >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to a topic in the > Google Groups "SD Ruby" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/sdruby/SH29OlX6620/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
