[Rails] SQL Injection Attacks
David Heinemeier Hansson
david at loudthinking.com
Thu Dec 9 09:03:46 GMT 2004
> Turning off sprintf is too much, though perhaps adding a logger.warn
> is worth while? And deprecating the original option in the documents?
I fully agree. Turning off sprintf is indeed excessive and would
unnecessarily burden the many applications already built on top of
Rails that has managed to use statement interpolation without doing
unquoted %s.
The new styles are already what's featured in the documentation and
people will surely upgrade to it over time. Deprecation is more than
adequate.
Also, the sprintf method now delegates to the database quoting
mechanism as well.
--
David Heinemeier Hansson,
http://www.basecamphq.com/ -- Web-based Project Management
http://www.rubyonrails.org/ -- Web-application framework for Ruby
http://macromates.com/ -- TextMate: Code and markup editor (OS X)
http://www.loudthinking.com/ -- Broadcasting Brain
More information about the Rails
mailing list