Rails very very very very very imp methods ::::::::::::::::::::::::::::::::

-

 Rails very very very very very imp methods ::::::::::::::::::::::::::::::::

Link ::

https://rails-sqli.org/

.....................................................


1. calculation sum method :: 

Order.calculate(:sum, params[:column])
2. delete_by method ::

User.delete_by("id = #{params[:id]}")
User.destroy_by(["id = ? AND admin = '#{params[:admin]}", params[:id]])

3. users.exist?

User.exists? params[:user]

User.exists? ["name = '#{params[:user]}'"]


4. find_by method :: 

Note that find_or_create_by / find_or_create_by! / find_or_initialize_by all call find_by and are therefore vulnerable to SQL injection in the same way.



User.find_by params[:id]


5. from method :: 

Instead of returning all non-admin users, we return all admin users.


User.from(params[:from]).where(admin: false).all

6.  group method ::

The intent of this query is to group non-admin users by the specified column. Instead, the query returns all users.


User.where(:admin => false).group(params[:group])


7. Having Method ::

This input injects a union in order to return all orders, instead of just the orders from a single user.


Order.where(:user_id => 1).group(:user_id).having("total > #{params[:total]}")

8. The joins method can take an array of associations or straight SQL strings.

Skip WHERE clause and return all orders instead of just the orders for the specified user.


Order.joins(params[:table]).where("total > 1000").all

9. Lock method and option ::

Not a real example: SQLite does not support this option.


User.where('id > 1').lock(params[:lock])

10. not method :: 

The not method is equivalent to where and is equally unsafe when passed SQL strings directly.



11. select method ::

Since the SELECT clause is at the beginning of the query, nearly any SQL can be injected.


User.select(params[:column])

12. reselect method ::

This is the same as select. Since the SELECT clause is at the beginning of the query, nearly any SQL can be injected, including querying totally different tables than intended.

User.select(:name).reselect(params[:column])

13. where method 

The example below is using classic SQL injection to bypass authentication.


User.where("name = '#{params[:name]}' AND password = '#{params[:password]}'")


14. rewhere method ::

Like where, the rewhere method can be passed a straight SQL string. rewhere adds the new conditions as a conjunction using AND.

Calls using a hash of name-value pairs are escaped, and the array form can be used for safely parameterizing queries.


User.where(name: "Bob").rewhere("age > #{params[:age]}")

15. update all method :: 

update_all accepts any SQL as a string.

User input should never be passed directly to update_all, only as values in a hash table.

User.update_all("admin = 1 WHERE name LIKE '%#{params[:name]}%'")


































Comments

Post a Comment

Popular posts from this blog

Rails 7 Features :: Comparison with Rails 6 and Rails 5

-
Rails 7 Features :: Link ::    https://medium.com/geekculture/whats-new-in-rails-7-b97d44eecdb2 What's new in Rails 7 :: 1. Webpack and node is not required  2. Encrypted Database Layer  3. Asynchronous Querying 4. Applications would only run in Asychronous Querying  5. Ujs and Turbolink is now replaced Stimulous and Turbo 6. Inline your query with single record using sole  7. Use controller actions to the streamed generated file  8. Named Variant .............................................................................................................................. Whats new in Rails -6 :: Note :: In Rails 6 many things we extract from the basecamp  Link ::    https://www.cuelogic.com/blog/whats-new-in-rails-6 1. Action Mailbox  2. Action Text 3. Parellel Testing  4. Action Cable Testing  5. Webpack  ....................................... Rails -6 Features :: Link :::    https://www.toptal.com/r...
Read more