And I respect PHP very much for that focus. But as soon as you go beyond the very basics, I think the learning curve there is steeper. Rails simply has so many answers to so many questions, and it introduces those answers in a pretty progressive way. You don't even have to learn what SQL injection is if you're using the preferred query methods. You SHOULD learn what that is, but you don't have to to get started. If you don't know what SQL injection is and you use the MySQL db query functions with a string-i
by Anonymous Coward writes:
on Wednesday August 31, 2016 @03:03PM (#52804123)
Honestly I think you're giving him a bit too much credit. "You don't even have to learn what SQL injection is if you're using the preferred query methods." You mean...like...ones that aren't vulnerable to SQL injection attacks David? The ones you just told us we didn't need to know about?
there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
I was going to say that the examples on the site use SQL fragments and thus are not the safe methods and that the site is completely missing the point...
but then I noticed that there are some more clever things described too, so instead I'll just say: Interesting.
(Though my overall reaction to the site remains: how often do you really pass user input to a HAVING or GROUP BY clause? They're not engineered for that, and I certainly wouldn't expect them to be either!)
Conflating language and Framework (Score:4)
Re:Conflating language and Framework (Score:0)
Honestly I think you're giving him a bit too much credit. "You don't even have to learn what SQL injection is if you're using the preferred query methods." You mean...like...ones that aren't vulnerable to SQL injection attacks David? The ones you just told us we didn't need to know about?
Incidentally, when DHH is finished huffing nitrous oxide out of whipped cream cans, he might want to do a bit of Google searching...there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
Re: (Score:0)
there's an entire page dedicated to SQL injection attacks against Rails... [rails-sqli.org]
I was going to say that the examples on the site use SQL fragments and thus are not the safe methods and that the site is completely missing the point...
but then I noticed that there are some more clever things described too, so instead I'll just say: Interesting.
(Though my overall reaction to the site remains: how often do you really pass user input to a HAVING or GROUP BY clause? They're not engineered for that, and I certainly wouldn't expect them to be either!)
Re: (Score:0)
The :select option allows complete control over the SELECT clause of the query.
Well, no shit. It's stupid to list it as an injection vector though.