Will sanitize deal with sql injection?
From its source code: (extracted from here)
def sanitize(object) #:nodoc:
connection.quote(object)
end
sanitize uses `quote, whose source code (extracted from here) is:
def quote(value, column = nil)
self.class.connection.quote(value, column)
end
I'm confused, it seems sanitize only adds quote for input, but when we are dealing with sql injection, shouldn't we do much more things like eliminating potential SQL query? What does it do and can it really SANITIZE input before executing sql query?
Aucun commentaire:
Enregistrer un commentaire