Right on. In that case and if it's useful to know about these attacks, you could capture the exception (log or track IP and other info) and do something like Bensie suggests in the rescue block.
On Thu, Mar 12, 2015 at 11:56 AM, Rob Kaufman <[email protected]> wrote: > Ben - he’s saying the injection attach was not successful, but that > because it generates a 500 that it causes a lot of annoying log / error > report and possibly process restarts depending on your config. > > Best, > Rob > > — > Sent from Mailbox <https://www.dropbox.com/mailbox> > > > On Thu, Mar 12, 2015 at 11:53 AM, Ben Wanicur <[email protected]> wrote: > >> That's interesting and I'd be curious to see how you ended up with SQL >> Injection attack. I always thought that if you use the standard >> ActiveRecord / WillPaginate API for querying that it should handle SQL >> injections attacks. For example: MyModel.where(...).paginate(page: >> params[:page], per_page: 10) >> >> The previous query is NOT susceptible to SQL injection attaches, yes ? >> >> On Thu, Mar 12, 2015 at 9:40 AM, Rob Kaufman <[email protected]> wrote: >> >>> Not sure if you’re using strong parameters or not, but this is an >>> interesting approach: https://github.com/zendesk/stronger_parameters. >>> Anyone out there using it? >>> >>> Rob >>> >>> — >>> Sent from Mailbox <https://www.dropbox.com/mailbox> >>> >>> >>> On Thu, Mar 12, 2015 at 9:35 AM, Rob Kaufman <[email protected]> >>> wrote: >>> >>>> On the plus side, other than throwing an exception at least the >>>> injection attach is blocked >>>> >>>> Rob >>>> >>>> — >>>> Sent from Mailbox <https://www.dropbox.com/mailbox> >>>> >>>> >>>> On Thu, Mar 12, 2015 at 9:23 AM, Chris McCann <[email protected]> >>>> wrote: >>>> >>>>> One of my apps uses will_paginate and I received several exception >>>>> notifications overnight that indicate someone tried a SQL injection attack >>>>> against the app using the :page parameter. How should I handle this? >>>>> >>>>> The route they tried: >>>>> >>>>> ...events/upcoming?page=convert%28int%2Cdb_name%28%29%29%20and%201%3D1 >>>>> >>>>> The resulting error: >>>>> >>>>> A WillPaginate::InvalidPage occurred in events#upcoming: >>>>> >>>>> "convert(int,db_name()) and 1=1" given as value, which translates >>>>> to '0' as page number >>>>> /var/www/rails/apollo_production/shared/bundle/ruby/ >>>>> 1.8/gems/will_paginate-2.3.16/lib/will_paginate/collection.rb:27:in >>>>> `validate' >>>>> >>>>> Disregading than the general irritation this creates (how dare someone >>>>> try to SQL inject my app!), what's the right way to detect and handle >>>>> this? >>>>> >>>>> Cheers, >>>>> >>>>> Chris >>>>> >>>>> -- >>>>> -- >>>>> SD Ruby mailing list >>>>> [email protected] >>>>> http://groups.google.com/group/sdruby >>>>> --- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "SD Ruby" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> >>>> >>> -- >>> -- >>> SD Ruby mailing list >>> [email protected] >>> http://groups.google.com/group/sdruby >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "SD Ruby" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > --- > You received this message because you are subscribed to the Google Groups > "SD Ruby" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
