A sketched picture of James' head

James Smith

Building a better future out of code

Sanitizing :limit and :offset

Posted by

I have a need in the Green Thing Rails app to pass in limit and offset parameters to a find query, and these parameters come from the URL. For example:

@examples = Example.find(:all, :limit => params[:limit], :offset => params[:offset])

This works fine, but is vulnerable to dodgy things making their way in through the parameters. Normally, to defend against SQL injection, you would use the array form of :conditions to sanitize the parameters, like so:

@examples = Example.find(:all, :conditions => ["name LIKE ?", params[:name])

This is great for :conditions. However, you can't use it with :limit and :offset, despite the fact that they are just as vulnerable to SQL injection. The trick I came up with is this. :limit and :offset are both integers, so simply force the conversion to an integer before using them (checking for nil first, of course):

@examples = Example.find(:all, :limit => (params[:limit].nil? ? nil : params[:limit].to_i), :offset => (params[:offset].nil? ? nil : params[:offset].to_i))

This means that no nasty SQL can get in, because it won't get through the integer conversion. Simple and effective. Probably blindingly obvious, but I didn't find anything online to point me to this solution while I was looking around for :conditions-style sanitizing, so I thought I'd share.

Of course, if I've missed something glaringly obvious, please let me know ;)


Add a comment