Thanks for posting -- we just got hit with 5000 attempts like this; a bunch of variants all trying to get something to the database. They appear to have failed. So there's some bot out there. Shoo.
We're using WillPaginate 3.0.7 On Thursday, March 12, 2015 at 12:23:53 PM UTC-4, Chris McCann wrote: > > One of my apps uses will_paginate and I received several exception > notifications overnight that indicate someone tried a SQL injection attack > against the app using the :page parameter. How should I handle this? > > The route they tried: > > ...events/upcoming?page=convert%28int%2Cdb_name%28%29%29%20and%201%3D1 > > The resulting error: > > A WillPaginate::InvalidPage occurred in events#upcoming: > > "convert(int,db_name()) and 1=1" given as value, which translates to '0' > as page number > /var/www/rails/apollo_production/shared/bundle/ruby/ > 1.8/gems/will_paginate-2.3.16/lib/will_paginate/collection.rb:27:in > `validate' > > Disregading than the general irritation this creates (how dare someone try > to SQL inject my app!), what's the right way to detect and handle this? > > Cheers, > > Chris > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
