It looks like this particular problem is that they are using placeholder names (why?) and the name can get controlled by the user. Using traditional ? placeholders, I don’t get how you can do SQL injection with something like:
user_ids = [ 1, 2, 3, 4 ]
execute("SELECT name FROM users WHERE user_id IN (" + user_ids.map{|u| "?" }.join(",") + ")", user_ids)
I think in the worst case if user_ids is some multi-dimensional array, you’ll get a SQL error when the number of placeholders don’t match the number of variables, but you’re still not executing any parts of the statement that the user can alter.
This is a weakness in most SQL APIs. You can’t effectively bind an array to a variable.
Really wish I could something like that, instead of exploding out the string by hand.
It looks like this particular problem is that they are using placeholder names (why?) and the name can get controlled by the user. Using traditional
?placeholders, I don’t get how you can do SQL injection with something like:I think in the worst case if
user_idsis some multi-dimensional array, you’ll get a SQL error when the number of placeholders don’t match the number of variables, but you’re still not executing any parts of the statement that the user can alter.