Ben - he’s saying the injection attach was not successful, but that because it generates a 500 that it causes a lot of annoying log / error report and possibly process restarts depending on your config.
Best, Rob — Sent from Mailbox On Thu, Mar 12, 2015 at 11:53 AM, Ben Wanicur <[email protected]> wrote: > That's interesting and I'd be curious to see how you ended up with SQL > Injection attack. I always thought that if you use the standard > ActiveRecord / WillPaginate API for querying that it should handle SQL > injections attacks. For example: MyModel.where(...).paginate(page: > params[:page], per_page: 10) > The previous query is NOT susceptible to SQL injection attaches, yes ? > On Thu, Mar 12, 2015 at 9:40 AM, Rob Kaufman <[email protected]> wrote: >> Not sure if you’re using strong parameters or not, but this is an >> interesting approach: https://github.com/zendesk/stronger_parameters. >> Anyone out there using it? >> >> Rob >> >> — >> Sent from Mailbox <https://www.dropbox.com/mailbox> >> >> >> On Thu, Mar 12, 2015 at 9:35 AM, Rob Kaufman <[email protected]> wrote: >> >>> On the plus side, other than throwing an exception at least the injection >>> attach is blocked >>> >>> Rob >>> >>> — >>> Sent from Mailbox <https://www.dropbox.com/mailbox> >>> >>> >>> On Thu, Mar 12, 2015 at 9:23 AM, Chris McCann <[email protected]> >>> wrote: >>> >>>> One of my apps uses will_paginate and I received several exception >>>> notifications overnight that indicate someone tried a SQL injection attack >>>> against the app using the :page parameter. How should I handle this? >>>> >>>> The route they tried: >>>> >>>> ...events/upcoming?page=convert%28int%2Cdb_name%28%29%29%20and%201%3D1 >>>> >>>> The resulting error: >>>> >>>> A WillPaginate::InvalidPage occurred in events#upcoming: >>>> >>>> "convert(int,db_name()) and 1=1" given as value, which translates to >>>> '0' as page number >>>> /var/www/rails/apollo_production/shared/bundle/ruby/ >>>> 1.8/gems/will_paginate-2.3.16/lib/will_paginate/collection.rb:27:in >>>> `validate' >>>> >>>> Disregading than the general irritation this creates (how dare someone >>>> try to SQL inject my app!), what's the right way to detect and handle this? >>>> >>>> Cheers, >>>> >>>> Chris >>>> >>>> -- >>>> -- >>>> SD Ruby mailing list >>>> [email protected] >>>> http://groups.google.com/group/sdruby >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "SD Ruby" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups "SD > Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
